High severity7.6NVD Advisory· Published Jun 16, 2026· Updated Jun 16, 2026

CVE-2026-52712

Description

Subscriber-level SQL injection in Attendance Manager plugin for WordPress versions <= 0.6.2 allows authenticated attackers to interact with the database, potentially leading to data theft.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Subscriber-level SQL injection in Attendance Manager plugin for WordPress versions <= 0.6.2 allows authenticated attackers to interact with the database, potentially leading to data theft.

Vulnerability

The Attendance Manager plugin for WordPress versions 0.6.2 and earlier contains a SQL injection vulnerability exploitable by users with the Subscriber role or higher. The vulnerability arises from insufficient sanitization of user-supplied input before inclusion in SQL queries, allowing an attacker to inject arbitrary SQL commands. [1]

Exploitation

An attacker must be authenticated as a Subscriber or higher. Successful exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page. Once triggered, the attacker can inject SQL commands into the database query. [1]

Impact

Successful exploitation enables the attacker to directly interact with the database, including reading, modifying, or deleting data. This could lead to information disclosure, privilege escalation, or full site compromise. The vulnerability is considered highly dangerous and is expected to be used in mass-exploit campaigns. [1]

Mitigation

The vulnerability is fixed in version 0.6.3. Users should update immediately. Patchstack has issued a mitigation rule to block attacks until the update is applied. [1]

References

SQL Injection in WordPress Attendance Manager Plugin

AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Attendance Managerinferred2 versions
<=0.6.2+ 1 more
- (no CPE)range: <=0.6.2
- (no CPE)range: <=0.6.2
Package: https://wordpress.org/plugins/attendance-manager

Patches

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

patchstack.com/database/wordpress/plugin/attendance-manager/vulnerability/wordpress-attendance-manager-plugin-0-6-2-sql-injection-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.494
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000