CVE-2026-42646

The TaxoPress plugin for WordPress (formerly known as Simple Tags) contains a blind SQL injection vulnerability in versions 3.44.0 and earlier. The root cause is improper neutralization of special elements used in an SQL command, specifically improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in the plugin's input handling, allowing an attacker to inject arbitrary SQL queries through user-supplied parameters. [1]

Exploitation does not require authentication, making the attack surface broad. An attacker can send specially crafted HTTP requests to the vulnerable endpoint, injecting SQL commands that are executed against the WordPress database. The blind nature of the injection means the attacker may not see direct output but can infer information through boolean-based or time-based responses. [1]

Successful exploitation allows an attacker to extract sensitive data from the database, including user credentials, session tokens, and other stored information. The advisory notes that this vulnerability is considered high severity (CVSS 7.6) and is known to be used in mass-exploit campaigns targeting thousands of websites. [1]

The vendor has released version 3.45.0 which fixes the vulnerability. Users are strongly advised to update immediately. For those unable to update, contacting the hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates. [1]