Description
Subscriber SQL Injection in WC Vendors Marketplace <= 2.6.8 versions.
Published: 2026-06-25
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A SQL injection flaw exists in the Subscriber interface of the WC Vendors Marketplace plugin for WordPress. The vulnerability allows an attacker to inject arbitrary SQL statements that are executed against the underlying database, potentially enabling the attacker to read, alter, or delete stored data. Such an attack could compromise the integrity and confidentiality of the site’s order and product information, and may provide a foothold for further exploitation if the plugin interacts with other components.

Affected Systems

The flaw affects installations of the WC Vendors Marketplace plugin by Rymera Web Co running any version up to and including 2.6.8. Users of version 2.6.8 or earlier should review their installation and versioning. Updated releases, such as 2.6.9 and later, contain the vendor‑supplied fix.

Risk and Exploitability

The CVSS score for this issue is 8.5, indicating a high severity-level vulnerability. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The nature of the flaw, as a SQL injection, suggests that an attacker who can access the subscriber endpoint may be able to exploit it; however, the specific attack vector and prerequisites are not detailed in the available data. The risk remains high due to the potential impact on data confidentiality and integrity.

Generated by OpenCVE AI on June 25, 2026 at 16:04 UTC.

Remediation

Vendor Solution

Update the WordPress WC Vendors Marketplace Plugin to the latest available version (at least 2.6.9).

OpenCVE Recommended Actions

  • Upgrade the WC Vendors Marketplace Plugin to version 2.6.9 or newer to apply the vendor patch.
  • If an upgrade cannot be performed immediately, apply input validation or a web application firewall rule to block the most common SQL injection patterns on subscriber‑related requests.
  • Verify that the upgrade or mitigation is effective by testing with malicious input on the subscriber page to ensure that no database errors are produced.

Generated by OpenCVE AI on June 25, 2026 at 16:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Subscriber SQL Injection in WC Vendors Marketplace <= 2.6.8 versions.
Title WordPress WC Vendors Marketplace plugin <= 2.6.8 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-25T14:54:41.669Z

Reserved: 2026-06-16T09:21:57.269Z

Link: CVE-2026-54838

cve-icon Vulnrichment

Updated: 2026-06-25T14:54:37.425Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T16:15:15Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')