CVE-2026-48874

Vulnerability

The GamiPress plugin for WordPress contains a SQL injection vulnerability in versions 7.8.7 and earlier. The flaw allows authenticated users with Subscriber-level privileges to inject arbitrary SQL queries into database queries, exploiting unsanitized input parameters [1]. The vulnerable code path is reachable without special configurations.

Exploitation

An attacker must have a Subscriber account on the target WordPress site. No additional privileges or user interaction is required. The attacker can send specially crafted input that bypasses input sanitization, leading to SQL injection. This can be performed remotely over HTTP requests [1].

Impact

Successful exploitation enables the attacker to execute arbitrary SQL commands against the site's database. This can result in information disclosure (e.g., usernames, passwords, sensitive data) and potentially data modification or deletion. The attacker, though initially a low-privilege subscriber, gains effective control over the database backend [1].

Mitigation

The vendor released version 7.8.8 which resolves the vulnerability. Users are strongly advised to update immediately. If an immediate update is not possible, Patchstack offers a mitigation rule to block attacks until the patch is applied. No other workarounds have been disclosed [1].