CVE-2026-42665

Vulnerability

An unauthenticated SQL injection vulnerability exists in the WP Data Access plugin for WordPress, affecting versions 5.5.70 and earlier. The flaw allows an attacker to inject arbitrary SQL queries without requiring authentication, due to insufficient sanitization of user-supplied input. [1]

Exploitation

An attacker can exploit this vulnerability remotely by sending a crafted HTTP request to the vulnerable WordPress site. No authentication or special network position is required; the attacker only needs network access to the target site. The exploit involves injecting malicious SQL statements through an input parameter that is not properly sanitized before being used in a database query. [1]

Impact

Successful exploitation allows the attacker to directly interact with the underlying database, including stealing sensitive information, modifying data, or potentially escalating to further compromise of the server. The CVSS score of 9.3 (Critical) underscores the severity of the impact. This vulnerability is expected to be used in mass-exploit campaigns targeting thousands of websites. [1]

Mitigation

The vendor has released version 5.5.71 to fix the vulnerability. Users should update to this version or later immediately. If unable to update, users can apply a mitigation rule (available from Patchstack) that blocks attacks until the plugin is updated. Patchstack users can enable auto-update for vulnerable plugins. No other workarounds are documented. [1]