Description
Unauthenticated SQL Injection in Library Management System <= 3.5.7 versions.
Published: 2026-06-26
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated SQL Injection is present in the WordPress Library Management System plugin versions up to 3.5.7, allowing an attacker to inject arbitrary SQL statements into database queries. This flaw can lead to data exfiltration, corruption, or full compromise of the library database, as the attacker can execute any SQL command without authentication.

Affected Systems

The vulnerability impacts the Online Web Tutor: Library Management System plugin for WordPress. Any instance of the plugin with a major or minor version up to and including 3.5.7 is affected, regardless of site configuration.

Risk and Exploitability

With a CVSS score of 9.3, the vulnerability is classified as high severity. The EPSS score is not available, so the actual exploitation likelihood remains uncertain. The flaw is not listed in CISA KEV. The attack vector is inferred to be unauthenticated, likely via exposed plugin endpoints that accept user-supplied parameters; once exploitation succeeds, an attacker can run any SQL command and compromise the entire library database.

Generated by OpenCVE AI on June 26, 2026 at 17:18 UTC.

Remediation

Vendor Solution

Update the WordPress Library Management System Plugin to the latest available version (at least 3.5.8).

OpenCVE Recommended Actions

  • Upgrade the WordPress Library Management System Plugin to version 3.5.8 or newer.
  • If an immediate upgrade is not feasible, temporarily disable the plugin to block exploitation.
  • Review any custom database queries within the plugin, ensuring all inputs are either sanitized or passed through prepared statements to mitigate CWE‑89.

Generated by OpenCVE AI on June 26, 2026 at 17:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in Library Management System <= 3.5.7 versions.
Title WordPress Library Management System plugin <= 3.5.7 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T14:52:36.866Z

Reserved: 2026-06-18T14:37:40.347Z

Link: CVE-2026-56034

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:30:05Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')