CVE-2026-39581

Vulnerability

The WP Sessions Time Monitoring Full Automatic plugin for WordPress versions 1.1.4 and earlier contains a SQL injection vulnerability exploitable by authenticated users with Subscriber-level access. The plugin fails to properly sanitize user-supplied input before using it in SQL queries, allowing an attacker to inject arbitrary SQL commands. [1]

Exploitation

An attacker needs a valid WordPress account with at least the Subscriber role. By sending crafted input to a vulnerable parameter, the attacker can inject malicious SQL statements. The vulnerability is expected to be used in mass-exploit campaigns targeting thousands of sites simultaneously. [1]

Impact

Successful exploitation allows the attacker to directly interact with the database, including reading sensitive information such as user credentials and other stored data. The attacker may also be able to modify or delete database contents, leading to further compromise. [1]

Mitigation

The vulnerability is fixed in version 1.1.5. Users should update to this version or later immediately. Patchstack has issued a mitigation rule to block attacks until the update is applied. No other workarounds are available. [1]