How is CVE-2026-39441 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress/WooCommerce service via HTTP(S) to send a malicious SQL payload. Authentication (not-required): No account or session token is needed; the injection point is accessible to any unauthenticated HTTP request. Victim interaction (not-required): The attacker sends requests directly to the server and does not need any user to click a link or take any action. Attack complexity (info): Exploit complexity is low, meaning no race conditions, memory layout knowledge, or special environmental conditions are required for the injection to succeed reliably.

What is the impact of CVE-2026-39441?

Reads arbitrary database rows, including WordPress user credentials (hashed passwords), session tokens, order records, and customer personally identifiable information stored by WooCommerce. Extracts plugin configuration data and any secrets or API keys persisted in the WordPress options table. Causes limited disruption to service availability, consistent with the low Availability impact token in the CVSS vector.

Back to search

CRITICALCVE-2026-39441Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-39441: WordPress Feed KuantoKusta for WooCommerce – Free plugin <= 5.3 - SQL Injection vulnerability

Q: What is CVE-2026-39441?

An unauthenticated SQL injection vulnerability affects the Feed KuantoKusta for WooCommerce Free plugin (versions 5.3 and earlier), developed by Naked Cat Plugins. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable by any remote attacker. Successful exploitation gives an attacker direct read access to the underlying database and limited ability to disrupt service availability. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

Q: Is CVE-2026-39441 patched?

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Naked Cat Plugins ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression test run, and pull request against affected workloads will be triggered automatically at that point.

Unauthenticated SQL Injection in Feed KuantoKusta for WooCommerce – Free <= 5.3 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated SQL injection vulnerability affects the Feed KuantoKusta for WooCommerce Free plugin (versions 5.3 and earlier), developed by Naked Cat Plugins. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable by any remote attacker. Successful exploitation gives an attacker direct read access to the underlying database and limited ability to disrupt service availability. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against all customer images, including custom-built images that bundle this plugin. Any image found running Feed KuantoKusta for WooCommerce Free at version 5.3 or earlier is flagged immediately.

Available

Triage

HarborGuard scores this CVE at CVSS 9.3 Critical and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Naked Cat Plugins ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression test run, and pull request against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress/WooCommerce service via HTTP(S) to send a malicious SQL payload.
AuthenticationNot required
No account or session token is needed; the injection point is accessible to any unauthenticated HTTP request.
Victim interactionNot required
The attacker sends requests directly to the server and does not need any user to click a link or take any action.
Attack complexityDetail
Exploit complexity is low, meaning no race conditions, memory layout knowledge, or special environmental conditions are required for the injection to succeed reliably.

Blast Radius

Reads arbitrary database rows, including WordPress user credentials (hashed passwords), session tokens, order records, and customer personally identifiable information stored by WooCommerce.
Extracts plugin configuration data and any secrets or API keys persisted in the WordPress options table.
Causes limited disruption to service availability, consistent with the low Availability impact token in the CVSS vector.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists today, HarborGuard continuously monitors the Patchstack advisory and re-evaluates affected images on every ingest cycle. In the meantime, customers can apply compensating controls through HarborGuard network policy recommendations: isolating the WordPress container from direct external ingress where possible, applying egress filtering to limit database lateral movement, and disabling the KuantoKusta feed endpoint via a feature flag or WAF rule if the functionality is not actively required. The moment Naked Cat Plugins publishes a fix, a patched-image rebuild will become available on HarborGuard, and for customers with auto-remediation enabled the full rebuild, regression test run, and PR against affected workloads will trigger automatically, with expected median time from patch publication to merged PR around 90 minutes for Critical-severity issues.

See how HarborGuard automates this

Affected packages

Naked Cat Plugins (by Webdados) / Feed KuantoKusta for WooCommerce – Free
≤ 5.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified