Description
The Attendance Manager plugin for WordPress is vulnerable to SQL Injection via the 'attmgr_off' parameter in all versions up to, and including, 0.6.2. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-04-08
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection enabling data exposure
Action: Patch
AI Analysis

Impact

The Attendance Manager plugin for WordPress contains an SQL Injection flaw in the 'attmgr_off' parameter. Because the value provided by users is not properly escaped and the surrounding SQL statement is not prepared, attackers can inject additional SQL statements. This allows the execution of unauthorised queries that can read sensitive database contents, potentially exposing user information and other confidential data.

Affected Systems

All WordPress sites running the Attendance Manager plugin version 0.6.2 or older are affected. Attackers need only Subscriber‑level or higher privileges, which is common for normal site users.

Risk and Exploitability

The flaw has a CVSS score of 5.4, indicating moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a web‑based request that an authenticated user can send to the plugin. Once the attacker injects the malicious payload, the database can be queried for information, leading to confidentiality compromise. Because no public exploit is documented, the risk is moderate to high depending on the attacker’s access level.

Generated by OpenCVE AI on April 8, 2026 at 08:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Attendance Manager plugin to a version newer than 0.6.2.
  • If an upgrade is not immediately possible, remove or restrict the 'attmgr_off' parameter from accessible forms for users with Subscriber or lower roles.
  • Verify that the WordPress installation has updated security patches applied to the core and all plugins.
  • Monitor database logs for unexpected query patterns that may indicate injection attempts.

Generated by OpenCVE AI on April 8, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Tnomi
Tnomi attendance Manager
Wordpress
Wordpress wordpress
Vendors & Products Tnomi
Tnomi attendance Manager
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Attendance Manager plugin for WordPress is vulnerable to SQL Injection via the 'attmgr_off' parameter in all versions up to, and including, 0.6.2. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Attendance Manager <= 0.6.2 - Authenticated (Subscriber+) SQL Injection via 'attmgr_off' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Tnomi Attendance Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:31:41.656Z

Reserved: 2026-03-08T03:47:24.636Z

Link: CVE-2026-3781

cve-icon Vulnrichment

Updated: 2026-04-08T13:53:48.575Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T07:16:22.067

Modified: 2026-04-27T19:04:22.650

Link: CVE-2026-3781

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:43:32Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')