Description
The Apocalypse Meow plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 22.1.0. This is due to a flawed logical operator in the type validation check on line 261 of ajax.php — the condition uses `&&` (AND) instead of `||` (OR), causing the `in_array()` validation to be short-circuited and never evaluated for any non-empty type value. Combined with `stripslashes_deep()` being called on line 101 which removes `wp_magic_quotes()` protection, attacker-controlled single quotes pass through unescaped into the SQL query on line 298. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-03-05
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection through the 'type' parameter
Action: Immediate Patch
AI Analysis

Impact

The Apocalypse Meow plugin for WordPress is vulnerable to SQL injection because a logical operator used in the type validation check is incorrect. The flawed ‘&&’ causes the in_array() validation to never run for non‑empty values, and a preceding call to stripslashes_deep() removes protective slashes. This allows an authenticated user who has Administrator-level access or higher to inject additional SQL statements into existing queries, potentially extracting sensitive data from the database.

Affected Systems

The vulnerability affects the Apocalypse Meow WordPress plugin distributed by blobfolio. All versions up to and including 22.1.0 are impacted; later releases are not known to contain this flaw.

Risk and Exploitability

The CVSS score is 4.9, indicating moderate severity, and the EPSS score is less than 1%, implying a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an authenticated administrator account, so the attack surface is limited to sites where such credentials exist. Despite the low probability of remote exploitation, the potential impact on data confidentiality within a compromised site warrants attention.

Generated by OpenCVE AI on April 15, 2026 at 16:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Apocalypse Meow plugin to a version newer than 22.1.0 to completely eliminate the SQL injection issue.
  • If an update cannot be performed immediately, revoke or reduce Administrator-level access for users that do not require it, and consider disabling the plugin if it is not essential.
  • As a temporary measure, manually edit the plugin source: replace the logical operator on line 261 in ajax.php with ‘||’ to restore proper validation, and remove or comment out the stripslashes_deep() call that strips protection slashes, ensuring that the ‘type’ parameter is never passed unsanitized into the SQL query.

Generated by OpenCVE AI on April 15, 2026 at 16:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Blobfolio
Blobfolio apocalypse Meow
Wordpress
Wordpress wordpress
Vendors & Products Blobfolio
Blobfolio apocalypse Meow
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 04:45:00 +0000

Type Values Removed Values Added
Description The Apocalypse Meow plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 22.1.0. This is due to a flawed logical operator in the type validation check on line 261 of ajax.php — the condition uses `&&` (AND) instead of `||` (OR), causing the `in_array()` validation to be short-circuited and never evaluated for any non-empty type value. Combined with `stripslashes_deep()` being called on line 101 which removes `wp_magic_quotes()` protection, attacker-controlled single quotes pass through unescaped into the SQL query on line 298. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Apocalypse Meow <= 22.1.0 - Authenticated (Administrator+) SQL Injection via 'type' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Blobfolio Apocalypse Meow
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:12:30.229Z

Reserved: 2026-03-04T16:04:52.755Z

Link: CVE-2026-3523

cve-icon Vulnrichment

Updated: 2026-03-05T15:29:11.839Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T05:16:37.717

Modified: 2026-03-05T19:38:53.383

Link: CVE-2026-3523

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:00:07Z

Weaknesses