Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in robfelty Collapsing Archives collapsing-archives allows Blind SQL Injection.This issue affects Collapsing Archives: from n/a through <= 3.0.7.
Published: 2026-03-13
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an Improper Neutralization of Special Elements used in an SQL Command, classified as CWE-89. This flaw allows a blind SQL Injection that can be exploited to read, modify, or delete data stored in the database. The lack of proper input sanitization means that an attacker can construct malicious queries to extract sensitive information or manipulate content within the WordPress database, potentially compromising confidentiality and data integrity.

Affected Systems

The affected product is the WordPress Collapsing Archives plugin (robfelty:Collapsing Archives). All versions from the initial release through version 3.0.7 are vulnerable. No specific sub‑versions are excluded in the vendor's advisory.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Although the description does not explicitly state the attack vector, the plugin is publicly accessible through a WordPress site, so the likely attack vector is remote unauthenticated exploitation via crafted requests to the plugin’s endpoints. Once exploited, an attacker can perform blind queries to glean or alter database contents.

Generated by OpenCVE AI on March 17, 2026 at 16:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Collapsing Archives plugin to a version newer than 3.0.7, following the vendor’s release schedule. If a newer version is unavailable, disable or remove the plugin entirely to eliminate the attack surface.

Generated by OpenCVE AI on March 17, 2026 at 16:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Robfelty
Robfelty collapsing Archives
Wordpress
Wordpress wordpress
Vendors & Products Robfelty
Robfelty collapsing Archives
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in robfelty Collapsing Archives collapsing-archives allows Blind SQL Injection.This issue affects Collapsing Archives: from n/a through <= 3.0.7.
Title WordPress Collapsing Archives plugin <= 3.0.7 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Robfelty Collapsing Archives
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:59.786Z

Reserved: 2026-03-12T11:10:53.774Z

Link: CVE-2026-32365

cve-icon Vulnrichment

Updated: 2026-03-16T14:49:17.721Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:50.580

Modified: 2026-03-16T15:16:22.840

Link: CVE-2026-32365

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:58:52Z

Weaknesses