CVE-2026-42665: WordPress WP Data Access plugin <= 5.5.70 - SQL Injection vulnerability
Unauthenticated SQL Injection in WP Data Access <= 5.5.70 versions.
Metrics
- CVSS v3.1
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated SQL injection vulnerability affects the WP Data Access WordPress plugin at version 5.5.70 and below. The flaw is reachable over the network with no authentication required, meaning any remote user can send a crafted HTTP request to the vulnerable endpoint. Successful exploitation gives an attacker read access to the WordPress database and causes minor service disruption. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment a fix version is released.
HarborGuard Coverage
Detection is available across every HarborGuard environment; the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images and pipeline builds, including custom-built WordPress images that bundle this plugin. Any image containing WP Data Access at or below version 5.5.70 is flagged automatically.
AvailableHarborGuard scores this finding at CVSS 9.3 (Critical) and weights it against each customer organization's compliance policy to determine routing priority. The resulting alert is directed to the appropriate team inbox within the customer org based on configured ownership rules.
AvailableBecause no fix version has been published upstream, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the vendor ships a corrected release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version is confirmed.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the target WordPress installation.
- AuthenticationNot required
No account or session credential of any privilege level is needed to trigger the injection.
- Victim interactionNot required
The attacker sends a direct request to the server; no user action or social engineering is involved.
- Attack complexityDetail
Exploitation is reliable and condition-free; no race condition, memory layout dependency, or special environmental state is required.
Blast Radius
- Reads arbitrary database rows, including WordPress user table entries, hashed passwords, stored session tokens, and any data held in custom WP Data Access tables.
- Database contents such as stored API keys, personal data, or application configuration values can be extracted in bulk through repeated injection queries.
- The availability impact is low; the injection can cause minor disruption to database query processing, potentially intermittently slowing or erroring affected pages.
How HarborGuard Handles This
Available on HarborGuard: this CVE is flagged at Critical severity across any scanned image that includes WP Data Access at or below version 5.5.70, with no manual rule configuration required. Because no upstream patch exists at this time, HarborGuard monitors the Patchstack advisory and vendor release channel on every ingest cycle. When a fix version is published, a patched-image rebuild becomes available immediately; for customers with auto-remediation enabled, this triggers a full regression run and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy rules that restrict public access to the WordPress installation's vulnerable endpoints, web application firewall rules targeting SQL injection patterns in relevant request parameters, and disabling or uninstalling the WP Data Access plugin where its functionality is not actively needed.
- Passionate Programmer Peter / WP Data Access≤ 5.5.70
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L