Description
Subscriber SQL Injection in GamiPress <= 7.8.7 versions.
Published: 2026-06-15
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw in the GamiPress WordPress plugin that allows attackers to inject arbitrary SQL statements through the subscriber functionality. The likely attack vector is via web requests to the plugin’s subscriber endpoints, though the description does not explicitly state this; it is inferred from the nature of the flaw and the mention of subscriber-based injection. Successful exploitation could enable an attacker to read sensitive data, alter or delete database records, or possibly gain further access depending on the privileges of the database user account. This impact includes potential confidentiality, integrity, and availability compromise for the site’s data.

Affected Systems

The GamiPress plugin developed by Ruben Garcia, versions 7.8.7 and earlier, are affected. The issue has been fixed in version 7.8.8 and later, so sites using those releases are no longer vulnerable.

Risk and Exploitability

The EPSS score for this vulnerability is less than 1%, indicating a low probability of being actively exploited, and it is not listed in CISA’s KEV catalog. Despite the low EPSS, the CVSS score of 8.5 signifies that the flaw, if exploited, would lead to significant data exposure or damage. Exposure may be achievable through unauthenticated or authenticated web traffic to the subscriber endpoints, depending on site configuration. The combination of high severity and the possibility of remote exploitation creates a notable risk that warrants prompt remediation.

Generated by OpenCVE AI on June 18, 2026 at 00:37 UTC.

Remediation

Vendor Solution

Update the WordPress GamiPress Plugin to the latest available version (at least 7.8.8).


OpenCVE Recommended Actions

  • Upgrade the GamiPress plugin to version 7.8.8 or later.
  • Sanitize and validate all subscriber input before incorporating it into database queries to prevent injection.
  • Restrict access to the subscriber endpoints to authenticated users only and enforce least privilege.

Generated by OpenCVE AI on June 18, 2026 at 00:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Gamipress
Gamipress gamipress
Wordpress
Wordpress wordpress
Vendors & Products Gamipress
Gamipress gamipress
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Subscriber SQL Injection in GamiPress <= 7.8.7 versions.
Title WordPress GamiPress plugin <= 7.8.7 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Gamipress Gamipress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-15T22:30:47.465Z

Reserved: 2026-05-25T22:10:00.865Z

Link: CVE-2026-48874

cve-icon Vulnrichment

Updated: 2026-06-15T22:30:44.681Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:16.903

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-48874

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T00:45:02Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')