Description
Unauthenticated SQL Injection in SpeakOut! Email Petitions <= 4.6.5 versions.
Published: 2026-06-15
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated SQL Injection flaw present in all SpeakOut! Email Petitions plugin releases up to and including version 4.6.5. The flaw allows an attacker to inject arbitrary SQL statements through the plugin’s input handling, which can be used to read, modify, or delete data stored in the WordPress database. The high CVSS score of 9.3 reflects the significant impact on confidentiality and integrity of a site that relies on this for broader compromise if the underlying database can be coerced into executing additional malicious commands.

Affected Systems

This issue affects sites running the WordPress SpeakOut! Email Petitions plugin version 4.6.5 or earlier. The plugin is distributed by SpeakOut! and is available to any WordPress installation that includes it.

Risk and Exploitability

With an EPSS score of less than 1%, the likelihood of exploitation is currently very low, but the vulnerability is still considered critical by CVSS criteria. The flaw is not listed in the CISA KEV catalog, indicating no known widespread exploitation. The attack vector is inferred to be through unauthenticated HTTP requests to the plugin’s exposed endpoints, allowing any visitor to supply crafted input that bypasses normal sanitization checks.

Generated by OpenCVE AI on June 16, 2026 at 22:27 UTC.

Remediation

Vendor Solution

Update the WordPress SpeakOut! Email Petitions Plugin to the latest available version (at least 4.6.5.1).

OpenCVE Recommended Actions

  • Update the SpeakOut! Email Petitions plugin to version 4.6.5.1 or later immediately.
  • If an immediate update is not possible, disable or remove the plugin from the site until a patched version can be installed.
  • After applying the patch, audit the site’s database for unexpected changes and ensure the database user employed by WordPress has only the privileges required for normal operation.

Generated by OpenCVE AI on June 16, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in SpeakOut! Email Petitions <= 4.6.5 versions.
Title WordPress SpeakOut! Email Petitions plugin <= 4.6.5 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T13:49:12.591Z

Reserved: 2026-04-07T10:48:09.605Z

Link: CVE-2026-39530

cve-icon Vulnrichment

Updated: 2026-06-16T13:48:55.683Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:46.953

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-39530

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T22:30:05Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')