HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-48874Published Modified CNA Patchstack

CVE-2026-48874: WordPress GamiPress plugin <= 7.8.7 - SQL Injection vulnerability

Subscriber SQL Injection in GamiPress <= 7.8.7 versions.

Metrics

CVSS v3.1
8.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a SQL injection vulnerability in the GamiPress WordPress plugin, affecting all versions up to and including 7.8.7. The flaw is reachable over the network and requires only a low-privilege account (subscriber-level) to exploit, with no additional user interaction needed. Successful exploitation gives an attacker read access to sensitive database contents and causes minor disruption to availability. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images in registries and CI/CD pipelines. Coverage extends to custom-built images that bundle the GamiPress plugin.

Available
Triage

HarborGuard can score this finding at CVSS 8.5 (HIGH) and weight it against each customer's per-environment compliance policy to determine urgency. Routing to the appropriate team inbox within each customer organization is available as part of the standard triage workflow.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.

  • AuthenticationRequired

    A low-privilege account (subscriber-level or equivalent) is sufficient; no administrative access is needed to trigger the injection.

  • Victim interactionNot required

    The attacker can execute the injection directly without any action from another user or administrator.

  • Attack complexityDetail

    Exploit reliability is high and requires no special conditions, race windows, or memory layout knowledge.

Blast Radius

  • Reads arbitrary database rows, including stored user credentials, session tokens, and private WordPress content.
  • The scope of the injection crosses into database tables beyond the plugin's own data, due to the changed scope indicator in the CVSS vector.
  • Causes minor disruption to database availability, which may produce intermittent errors for site visitors or administrators.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-48874 at this time, HarborGuard monitors the Patchstack advisory and the GamiPress release feed on every ingest cycle. As compensating controls, customers can apply network-policy isolation to restrict unauthenticated and low-privilege access paths to the affected WordPress instance, enforce egress filtering to limit what the database process can reach, and consider disabling subscriber-level registration if it is not required. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and PR against affected workloads will be generated automatically the moment an upstream fix version is published.

See how HarborGuard automates this
Affected packages
  • Ruben Garcia / GamiPress
    ≤ 7.8.7
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
References