Description
Unauthenticated SQL Injection in WP eMember < v10.9.4 versions.
Published: 2026-06-17
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated SQL Injection exists in the WordPress WP eMember plugin version 10.9.3 and earlier, allowing an attacker to construct and execute arbitrary SQL statements. This flaw is a classic CWE-89 vulnerability that can compromise the confidentiality, integrity, and availability of the WordPress database and any data stored within it, including user credentials, content, and system configuration.

Affected Systems

The vulnerability affects installations of the WP eMember plugin developed by Tips and Tricks HQ, specifically all released versions lower than v10.9.4. Any WordPress site using one of these affected plugin builds is at risk.

Risk and Exploitability

The CVSS score of 9.3 illustrates a critical level of severity, reflecting the exploitation of a web‑based, unauthenticated input processing error that can lead to full database compromise. The EPSS score is not available, but the absence from the CISA KEV catalog does not preclude exploitation. The attack vector is most likely through the publicly accessible plugin endpoints, where malicious payloads can be injected without prior authentication. Given the high impact and typical web exposure, the risk of successful exploitation remains significant.

Generated by OpenCVE AI on June 18, 2026 at 12:02 UTC.

Remediation

Vendor Solution

Update the WordPress WP eMember plugin to the latest available version (at least v10.9.4).


OpenCVE Recommended Actions

  • Update the WP eMember plugin to version 10.9.4 or newer, as issued by the vendor.
  • Apply WordPress core updates and enforce the principle of least privilege on database accounts used by the plugin.
  • Configure web‑application firewalls or request filtering to block suspicious SQL patterns.

Generated by OpenCVE AI on June 18, 2026 at 12:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Tipsandtricks-hq
Tipsandtricks-hq wp Emember
Wordpress
Wordpress wordpress
Vendors & Products Tipsandtricks-hq
Tipsandtricks-hq wp Emember
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in WP eMember < v10.9.4 versions.
Title WordPress WP eMember plugin < v10.9.4 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Tipsandtricks-hq Wp Emember
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:39:28.084Z

Reserved: 2026-06-16T09:21:34.478Z

Link: CVE-2026-54811

cve-icon Vulnrichment

Updated: 2026-06-17T14:39:24.629Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:30:05Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')