How is CVE-2026-39581 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, meaning an attacker can send crafted HTTP requests to the WordPress installation without needing local or physical access. Authentication (required): A low-privilege WordPress account (such as a subscriber-level user) is sufficient; no administrative credentials are needed, but some authenticated session is required. Victim interaction (not-required): The attacker does not need to trick or involve any other user; the injection can be triggered directly through the attacker's own requests. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-39581?

An attacker reads arbitrary rows from the WordPress database, including stored user credentials (hashed passwords), email addresses, session tokens, and plugin configuration data. Confidential content such as private posts, user metadata, and any data stored by other plugins is exposed to the attacker. The availability impact is partial; the attacker can cause degraded database performance or minor disruption to the affected WordPress service through repeated injected queries. The scope token is Changed (S:C), meaning the impact can extend beyond the plugin itself to other components sharing the same database, such as other WordPress plugins or the core application.

Back to search

HIGHCVE-2026-39581Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-39581: WordPress WP Sessions Time Monitoring Full Automatic plugin <= 1.1.4 - SQL Injection vulnerability

Q: What is CVE-2026-39581?

This is a SQL injection vulnerability in the WP Sessions Time Monitoring Full Automatic WordPress plugin, affecting all versions up to and including 1.1.4. The flaw is reachable over the network and requires only a low-privilege account (such as a standard WordPress subscriber) to exploit, with no additional user interaction needed. Successful exploitation gives an attacker read access to the WordPress database contents and can also cause minor service disruption. HarborGuard is tracking this advisory for patch availability and will make a patched-image rebuild available as soon as an upstream fix is published.

Q: Is CVE-2026-39581 patched?

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. In the meantime, compensating controls can be applied as described in the recommendation section below.

Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic <= 1.1.4 versions.

CVSS v3.1: 8.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a SQL injection vulnerability in the WP Sessions Time Monitoring Full Automatic WordPress plugin, affecting all versions up to and including 1.1.4. The flaw is reachable over the network and requires only a low-privilege account (such as a standard WordPress subscriber) to exploit, with no additional user interaction needed. Successful exploitation gives an attacker read access to the WordPress database contents and can also cause minor service disruption. HarborGuard is tracking this advisory for patch availability and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment; the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images in registries and CI/CD pipelines. Coverage extends to custom-built images that bundle this WordPress plugin, not just official or public base images.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.5 (High) and weighting it against each environment's compliance policy to determine urgency. Triage routing is available to direct the alert to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. In the meantime, compensating controls can be applied as described in the recommendation section below.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker can send crafted HTTP requests to the WordPress installation without needing local or physical access.
AuthenticationRequired
A low-privilege WordPress account (such as a subscriber-level user) is sufficient; no administrative credentials are needed, but some authenticated session is required.
Victim interactionNot required
The attacker does not need to trick or involve any other user; the injection can be triggered directly through the attacker's own requests.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

An attacker reads arbitrary rows from the WordPress database, including stored user credentials (hashed passwords), email addresses, session tokens, and plugin configuration data.
Confidential content such as private posts, user metadata, and any data stored by other plugins is exposed to the attacker.
The availability impact is partial; the attacker can cause degraded database performance or minor disruption to the affected WordPress service through repeated injected queries.
The scope token is Changed (S:C), meaning the impact can extend beyond the plugin itself to other components sharing the same database, such as other WordPress plugins or the core application.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-39581 as of the publication date, HarborGuard monitors the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild automatically once a remediated version of WP Sessions Time Monitoring Full Automatic is released. For customers who opt into auto-remediation, that rebuild will be followed by a regression test run and a PR opened against affected workloads with no manual intervention required. While no patch is available, recommended compensating controls include applying a Web Application Firewall (WAF) rule to block or flag SQL metacharacter patterns in requests routed to this plugin's endpoints, restricting subscriber-level registration if it is not a required site feature, and using network policy isolation to limit which services can query the WordPress database directly. Customers can configure HarborGuard compliance policies to elevate this finding to a blocking severity gate in CI/CD pipelines until a patched image becomes available.

See how HarborGuard automates this

Affected packages

activity-log.com / WP Sessions Time Monitoring Full Automatic
≤ 1.1.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified