CVE-2026-39438: WordPress ListingPro plugin <= 2.9.10 - SQL Injection vulnerability
Unauthenticated SQL Injection in ListingPro <= 2.9.10 versions.
Metrics
- CVSS v3.1
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated SQL injection vulnerability affects the WordPress ListingPro plugin at version 2.9.10 and earlier. The flaw is reachable over the network with no authentication or user interaction required, meaning any remote party can send a crafted request to a vulnerable site. Successful exploitation gives an attacker read access to the underlying database and causes minor availability disruption. No fix version has been published; HarborGuard tracks the advisory for patch availability.
HarborGuard Coverage
Detection is available across every HarborGuard environment. CVE-2026-39438 is matched against customer images within minutes of ingestion from upstream feeds, including custom-built WordPress images carrying the ListingPro plugin.
AvailableHarborGuard is capable of scoring this CVE at CVSS 9.3 (Critical) and weighting that score against each environment's compliance policy to determine ticket priority. Triage routing directs findings to the appropriate team inbox within each customer organization.
AvailableNo upstream fix has been published for CVE-2026-39438. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the meantime, compensating controls such as network-policy isolation of WordPress workloads and web-application firewall rules blocking malformed query parameters are surfaced as interim guidance.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network; an attacker must be able to reach the WordPress site via HTTP or HTTPS to deliver a malicious payload.
- AuthenticationNot required
No account or session token is needed; the injection can be triggered by any unauthenticated HTTP request.
- Victim interactionNot required
No victim action is required; the attacker sends requests directly to the server without any social-engineering step.
- Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and requires no special preconditions, race conditions, or environmental tuning.
Blast Radius
- An attacker reads arbitrary rows from the WordPress database, including stored user credentials (hashed passwords), email addresses, private post content, and plugin configuration data.
- Because scope is Changed (S:C in the CVSS vector), data from database tables beyond the plugin's own scope may be accessible, potentially exposing data belonging to other applications sharing the same database server.
- Availability impact is Low; repeated exploitation may degrade query performance or cause intermittent errors on the affected WordPress site.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-39438 is active and matches any image carrying ListingPro 2.9.10 or earlier, including custom WordPress images built internally. Because no upstream patch exists, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment a fix version is published. For customers who opt into auto-remediation, that rebuild triggers a regression-test run and a PR opened against affected workloads with no manual intervention. While no patch is available, teams can apply interim compensating controls: isolating WordPress pods behind a network policy that restricts inbound traffic to known sources, enabling a web-application firewall rule set targeting SQL injection patterns on the affected plugin routes, and auditing database user privileges to limit the tables the WordPress database account can read.
- Emraan Cheema / ListingPro≤ 2.9.10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L