Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PublishPress PublishPress Authors publishpress-authors allows SQL Injection.This issue affects PublishPress Authors: from n/a through <= 4.7.3.
Published: 2025-03-15
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of special elements in SQL commands allows attackers to inject arbitrary SQL statements into queries executed by the PublishPress Authors plugin for WordPress. This is a classic SQL injection flaw (CWE‑89) that can lead to data exfiltration, modification, or deletion of database contents, potentially compromising confidentiality, integrity, and availability of the site's data.

Affected Systems

PublishPress Authors, a WordPress plugin distributed by PublishPress, is affected in all releases up to and including version 4.7.3. The flaw is present in every installation of these versions on any WordPress site, regardless of site configuration or user role.

Risk and Exploitability

The CVSS score of 7.6 indicates high severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that authentication is not explicitly required, so the flaw may be exploitable by unauthenticated or low‑privileged users. The lack of input sanitization enables attackers to execute arbitrary SQL commands, which could compromise the confidentiality, integrity, or availability of the site data.

Generated by OpenCVE AI on May 2, 2026 at 03:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and install any available update to PublishPress Authors that removes the SQL injection vulnerability; upgrade when a fixed version is released.
  • If an update is not yet available, disable the plugin for unauthenticated users or limit administrative access to trusted users to reduce exposure.
  • Apply a web application firewall or configure input validation rules to block malicious SQL payloads targeting the plugin’s API endpoints, and monitor database logs for abnormal queries.

Generated by OpenCVE AI on May 2, 2026 at 03:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6646 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PublishPress PublishPress Authors allows SQL Injection. This issue affects PublishPress Authors: from n/a through 4.7.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PublishPress PublishPress Authors allows SQL Injection. This issue affects PublishPress Authors: from n/a through 4.7.3. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PublishPress PublishPress Authors publishpress-authors allows SQL Injection.This issue affects PublishPress Authors: from n/a through <= 4.7.3.
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00047}

 epss

{'score': 0.00065}

Mon, 17 Mar 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 15 Mar 2025 22:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PublishPress PublishPress Authors allows SQL Injection. This issue affects PublishPress Authors: from n/a through 4.7.3.
Title WordPress PublishPress Authors plugin <= 4.7.3 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:42.146Z

Reserved: 2025-02-17T11:50:22.450Z

Link: CVE-2025-26886

cve-icon Vulnrichment

Updated: 2025-03-17T16:11:27.958Z

cve-icon NVD

Status : Deferred

Published: 2025-03-15T22:15:13.837

Modified: 2026-06-17T09:02:33.013

Link: CVE-2025-26886

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T03:30:16Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')