How is CVE-2026-39519 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress site via HTTP/HTTPS from the internet or internal network. Authentication (not-required): No account, session, or credential of any kind is needed to trigger the injection; any unauthenticated request to the affected endpoint is sufficient. Victim interaction (not-required): The attacker does not need to involve or trick any user; the exploit is executed directly against the server with no victim participation. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental prerequisites to execute successfully.

What is the impact of CVE-2026-39519?

An attacker reads arbitrary rows from the WordPress database, including user account records, hashed passwords, stored session tokens, and any data the chatbot plugin persists. Confidentiality impact is high with scope change (S:C), meaning data accessible by the database user can extend beyond the GeekyBot plugin's own tables to other WordPress tables or co-hosted databases within the same database server context. Availability is partially disrupted; a crafted injection can produce resource-intensive queries that degrade or briefly interrupt database responsiveness for the affected site.

Back to search

CRITICALCVE-2026-39519Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-39519: WordPress GeekyBot plugin <= 1.2.0 - SQL Injection vulnerability

Q: What is CVE-2026-39519?

An unauthenticated SQL injection vulnerability affects the WordPress GeekyBot plugin at version 1.2.0 and earlier. The flaw is reachable over the network without any login or account, meaning any internet-facing WordPress site running the plugin is exposed. Successful exploitation gives an attacker direct read access to the underlying database and minor ability to disrupt service availability. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as upstream ships a fix.

Q: Is CVE-2026-39519 patched?

Because no fix version has been published upstream, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a corrected release. Customers with auto-remediation enabled will receive an automatic rebuild, regression test run, and a PR opened against affected workloads as soon as a fix version is available.

Unauthenticated SQL Injection in GeekyBot <= 1.2.0 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated SQL injection vulnerability affects the WordPress GeekyBot plugin at version 1.2.0 and earlier. The flaw is reachable over the network without any login or account, meaning any internet-facing WordPress site running the plugin is exposed. Successful exploitation gives an attacker direct read access to the underlying database and minor ability to disrupt service availability. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-39519 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream advisory feeds including Patchstack. Matching runs against images in customer registries and CI/CD pipelines, covering custom-built WordPress images that bundle the GeekyBot plugin.

Available

Triage

Triage is available with a CVSS v3.1 score of 9.3 (Critical) applied automatically, weighted further by each customer organization's compliance policy to reflect their specific risk tolerance. Findings are routed to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a corrected release. Customers with auto-remediation enabled will receive an automatic rebuild, regression test run, and a PR opened against affected workloads as soon as a fix version is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress site via HTTP/HTTPS from the internet or internal network.
AuthenticationNot required
No account, session, or credential of any kind is needed to trigger the injection; any unauthenticated request to the affected endpoint is sufficient.
Victim interactionNot required
The attacker does not need to involve or trick any user; the exploit is executed directly against the server with no victim participation.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental prerequisites to execute successfully.

Blast Radius

An attacker reads arbitrary rows from the WordPress database, including user account records, hashed passwords, stored session tokens, and any data the chatbot plugin persists.
Confidentiality impact is high with scope change (S:C), meaning data accessible by the database user can extend beyond the GeekyBot plugin's own tables to other WordPress tables or co-hosted databases within the same database server context.
Availability is partially disrupted; a crafted injection can produce resource-intensive queries that degrade or briefly interrupt database responsiveness for the affected site.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-39519 exists at this time, HarborGuard continuously re-checks the Patchstack advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment a fix version is published. For customers with auto-remediation enabled, the rebuild, regression test run, and PR flow will trigger without manual intervention as soon as upstream ships. In the meantime, HarborGuard surfaces the affected images in the findings dashboard so teams can apply compensating controls: network-policy rules that restrict inbound HTTP access to WordPress deployments running GeekyBot, web application firewall rules targeting SQL injection patterns on the affected plugin routes, and feature-flag or plugin-deactivation options where the chatbot functionality is non-critical. Any change in advisory status will be reflected in the HarborGuard findings feed within minutes of ingestion.

See how HarborGuard automates this

Affected packages

Ahmad / GeekyBot
≤ 1.2.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified