CVE-2026-40762: WordPress WPGraphQL plugin < 2.11.1 - SQL Injection vulnerability
Unauthenticated SQL Injection in WPGraphQL < 2.11.1 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 2.11.1
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated SQL injection vulnerability affects the WPGraphQL WordPress plugin in all versions before 2.11.1. The flaw is reachable over the network without any credentials, though exploitation requires overcoming high-complexity conditions such as specific timing or environmental factors. A successful attacker can read sensitive data from the underlying database and cause limited disruption to service availability. A patched-image rebuild at version 2.11.1 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against all customer images, including custom-built images that bundle the WPGraphQL plugin. Coverage extends to images in both connected registries and active CI/CD pipelines.
AvailableHarborGuard is capable of scoring this CVE at 7.5 HIGH using the CVSS v3.1 vector and weighting that score against each customer environment's compliance policy to determine urgency. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at WPGraphQL 2.11.1 is available on HarborGuard for any environment found to be running an affected version. For customers who opt into auto-remediation, HarborGuard can execute a rebuild, run a regression test suite against the updated image, and open a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the WPGraphQL endpoint over the network; no local or physical access is required.
- AuthenticationNot required
No credentials or account of any kind are needed to trigger the injection.
- Victim interactionNot required
The attacker acts entirely on their own without needing any action from a legitimate user.
- Attack complexityDetail
Exploitation is rated high complexity, meaning the attacker must account for race conditions, specific environmental states, or other factors outside their direct control before the attack reliably succeeds.
Blast Radius
- A successful attacker reads arbitrary rows from the WordPress database, including stored user credentials, session tokens, and site configuration data.
- Database contents scoped to the application user are exposed; cross-site scope change (S:C) means impact can extend beyond the immediate WordPress installation context.
- Service availability is partially degraded, as the malformed queries can disrupt database responsiveness for legitimate requests.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-40762 is active across all connected environments and fires within minutes of an affected image being pushed or scanned. Given the HIGH severity rating and the availability of a fix, a patched-image rebuild at WPGraphQL 2.11.1 is ready for environments confirmed to be running a vulnerable version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the triage finding is queued in the team inbox with the CVSS score, affected image list, and recommended fix version attached for reviewer action.
Fix available
- WPGraphQL / WPGraphQL< 2.11.1 (from n/a)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L