Description
Subscriber SQL Injection in Attendance Manager <= 0.6.2 versions.
Published: 2026-06-16
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unsanitized SQL injection flaw that occurs in the subscriber component of the WordPress Attendance Manager plugin. Attackers can inject arbitrary SQL through unvalidated subscription data, allowing them to read sensitive database records or modify existing entries. This can compromise confidentiality, integrity, and availability of the site’s data.

Affected Systems

WordPress users running the Attendance Manager plugin version 0.6.2 or earlier, distributed by tnomi, are impacted. Any installation that has not upgraded to at least 0.6.3 remains vulnerable.

Risk and Exploitability

The CVSS score of 7.6 indicates high severity, but the EPSS of less than 1% suggests that the likelihood of exploitation is currently very low. The vulnerability is not listed in the CISA KEV catalog, and no public exploits are known. Attackers would most likely target the plugin via a crafted HTTP request sent to the subscriber endpoint of the plugin. Remediation is critical to prevent data leakage or unauthorized data modification.

Generated by OpenCVE AI on June 16, 2026 at 20:10 UTC.

Remediation

Vendor Solution

Update the WordPress Attendance Manager Plugin to the latest available version (at least 0.6.3).

OpenCVE Recommended Actions

  • Apply the official update by installing Attendance Manager plugin version 0.6.3 or later.
  • If an update cannot be applied, temporarily block SQL injection attempts by configuring a Web Application Firewall to filter the subscriber endpoint for suspicious query patterns.
  • As a last resort, disable or remove the Attendance Manager plugin until a patch is available if the service is not essential.

Generated by OpenCVE AI on June 16, 2026 at 20:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Tnomi
Tnomi attendance Manager
Wordpress
Wordpress wordpress
Vendors & Products Tnomi
Tnomi attendance Manager
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description Subscriber SQL Injection in Attendance Manager <= 0.6.2 versions.
Title WordPress Attendance Manager plugin <= 0.6.2 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:L'}

Subscriptions

Tnomi Attendance Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T17:10:31.823Z

Reserved: 2026-06-08T10:11:21.891Z

Link: CVE-2026-52712

cve-icon Vulnrichment

Updated: 2026-06-16T13:29:43.492Z

cve-icon NVD

Status : Deferred

Published: 2026-06-16T10:16:27.997

Modified: 2026-06-16T14:52:36.287

Link: CVE-2026-52712

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T20:15:16Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')