CVE-2026-40762

Vulnerability

The WPGraphQL plugin for WordPress versions prior to 2.11.1 contains an unauthenticated SQL injection vulnerability [1]. The flaw exists in the GraphQL endpoint, allowing an attacker to inject arbitrary SQL queries without requiring authentication. Affected versions are all releases before 2.11.1.

Exploitation

An attacker can exploit this vulnerability by sending crafted GraphQL requests to the vulnerable endpoint [1]. No authentication or user interaction is required. The attack is network-based and can be performed remotely. The vulnerability is expected to be used in mass-exploit campaigns targeting thousands of websites.

Impact

Successful exploitation allows an attacker to directly interact with the database, potentially leading to data theft, modification, or deletion [1]. The impact includes information disclosure and possible compromise of the entire WordPress installation.

Mitigation

The vulnerability is fixed in version 2.11.1 [1]. Users should update to version 2.11.1 or later immediately. Patchstack has issued a mitigation rule to block attacks until the update is applied. No workarounds are provided other than updating.