Description
Administrator SQL Injection in WP All Import <= 4.0.1 versions.
Published: 2026-06-26
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL Injection flaw in WordPress WP All Import plugin versions up to 4.0.1, classified as CWE‑89. When triggered by an authenticated administrator, an attacker can inject arbitrary SQL statements, potentially leading to data exfiltration or the execution of privileged code within the WordPress database context.

Affected Systems

The affected product is the WordPress WP All Import plugin. Versions 4.0.1 and earlier are susceptible. Administrators managing WordPress sites that use these plugin versions are at risk.

Risk and Exploitability

The CVSS score is 7.6, indicating a medium‑high severity. The EPSS score is not available, so historical exploitation data is unknown at this time. The vulnerability has not been listed in CISA KEV, suggesting no widespread known exploits. Exploitation requires administrator privileges on the WordPress site; once achieved, an attacker can execute arbitrary SQL commands in the database context and potentially compromise the entire site.

Generated by OpenCVE AI on June 26, 2026 at 18:05 UTC.

Remediation

Vendor Solution

Update the WordPress WP All Import Plugin to the latest available version (at least 4.1.0).

OpenCVE Recommended Actions

  • Update WordPress WP All Import Plugin to version 4.1.0 or later
  • Backup the database before applying the update
  • Restrict import functionality to trusted users and verify user roles

Generated by OpenCVE AI on June 26, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Administrator SQL Injection in WP All Import <= 4.0.1 versions.
Title WordPress WP All Import plugin <= 4.0.1 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T15:40:28.628Z

Reserved: 2026-06-25T08:03:10.450Z

Link: CVE-2026-57628

cve-icon Vulnrichment

Updated: 2026-06-26T15:40:24.932Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T18:15:04Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')