How is CVE-2026-39530 exploited?

Network reachability (required): The attacker must reach the WordPress installation over the network; the vulnerable endpoint is exposed to any HTTP client that can connect to the web server. Authentication (not-required): No account or session token is needed; the injection can be triggered by an anonymous request. Victim interaction (not-required): No user action is required; the attacker sends a direct request to the affected endpoint without involving any site visitor. Attack complexity (info): Exploit reliability is high and no special conditions are required; a crafted SQL payload can be delivered in a straightforward, repeatable request.

What is the impact of CVE-2026-39530?

Reads arbitrary database rows, including user email addresses, hashed passwords, petition signatures, and any other data stored in the WordPress database. Scope extends beyond the plugin itself: the CVSS Scope token is Changed, so data from other components sharing the same database (other plugins, the WordPress core tables) is also readable. Causes limited disruption to service availability, consistent with an attacker issuing resource-intensive queries that degrade database response times.

Back to search

CRITICALCVE-2026-39530Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-39530: WordPress SpeakOut! Email Petitions plugin <= 4.6.5 - SQL Injection vulnerability

Q: What is CVE-2026-39530?

An unauthenticated SQL injection vulnerability affects the SpeakOut! Email Petitions WordPress plugin at version 4.6.5 and below. The flaw is reachable over the network with no authentication or user interaction required, meaning any remote attacker can send a crafted HTTP request to the affected endpoint. Successful exploitation gives the attacker read access to the underlying database and limited ability to disrupt service availability. No fix has been published yet; HarborGuard tracks this advisory and will make a patched rebuild available as soon as upstream releases one.

Q: Is CVE-2026-39530 patched?

Because no fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment upstream ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated automatically at that point.

Unauthenticated SQL Injection in SpeakOut! Email Petitions <= 4.6.5 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated SQL injection vulnerability affects the SpeakOut! Email Petitions WordPress plugin at version 4.6.5 and below. The flaw is reachable over the network with no authentication or user interaction required, meaning any remote attacker can send a crafted HTTP request to the affected endpoint. Successful exploitation gives the attacker read access to the underlying database and limited ability to disrupt service availability. No fix has been published yet; HarborGuard tracks this advisory and will make a patched rebuild available as soon as upstream releases one.

HarborGuard Coverage

Detection

Detection for CVE-2026-39530 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images in registries and active pipelines. This coverage extends to custom-built images that bundle the SpeakOut! Email Petitions plugin.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS 3.1 rating of 9.3 (Critical) and weighting it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the inbox configured for the affected workload inside each customer org.

Available

Patch

Because no fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment upstream ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress installation over the network; the vulnerable endpoint is exposed to any HTTP client that can connect to the web server.
AuthenticationNot required
No account or session token is needed; the injection can be triggered by an anonymous request.
Victim interactionNot required
No user action is required; the attacker sends a direct request to the affected endpoint without involving any site visitor.
Attack complexityDetail
Exploit reliability is high and no special conditions are required; a crafted SQL payload can be delivered in a straightforward, repeatable request.

Blast Radius

Reads arbitrary database rows, including user email addresses, hashed passwords, petition signatures, and any other data stored in the WordPress database.
Scope extends beyond the plugin itself: the CVSS Scope token is Changed, so data from other components sharing the same database (other plugins, the WordPress core tables) is also readable.
Causes limited disruption to service availability, consistent with an attacker issuing resource-intensive queries that degrade database response times.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against all images in connected registries and build pipelines within minutes of ingestion from the Patchstack feed. Because no upstream fix exists today, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment a fix version is published; customers with auto-remediation enabled will receive that rebuild, a regression-test run, and an auto-opened PR against affected workloads without manual intervention. In the interim, compensating controls worth considering include network-policy rules that restrict direct database access to the WordPress application tier only, WAF rules targeting SQL metacharacter sequences in petition-related request parameters, and disabling the SpeakOut! plugin on any instance where petition functionality is not actively required. Where compliance policy flags Critical-severity unpatched CVEs for escalation, HarborGuard routes this finding to the designated security inbox automatically.

See how HarborGuard automates this

Affected packages

SpeakOut! / SpeakOut! Email Petitions
≤ 4.6.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified