How is CVE-2026-52693 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress site via HTTP/HTTPS to send a malicious request. Authentication (not-required): No account or session credential of any kind is needed; the injection point is accessible to any unauthenticated HTTP request. Victim interaction (not-required): The attack is entirely server-side and requires no action from any user or administrator on the target site. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions, race conditions, or environmental requirements on the attacker.

What is the impact of CVE-2026-52693?

An attacker reads arbitrary rows from the WordPress database, including stored user credentials (hashed passwords), email addresses, order records, and any other data held in the database. Because scope is changed (S:C in the CVSS vector), data accessible to the database user account running WordPress, which may span multiple schemas or tables beyond the WordPress installation itself, is exposed. Integrity is not affected; the attacker cannot modify or delete database records through this vector. Availability impact is low, meaning the injection queries can cause minor degradation or intermittent errors on the affected service under load.

Back to search

CRITICALCVE-2026-52693Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-52693: WordPress eCommerce Product Catalog plugin <= 3.5.5 - SQL Injection vulnerability

Q: What is CVE-2026-52693?

This is an unauthenticated SQL injection vulnerability in the eCommerce Product Catalog WordPress plugin (versions 3.5.5 and earlier). The flaw is reachable over the network and requires no login or user interaction, meaning any remote visitor can send a crafted request to a site running the affected plugin. Successful exploitation gives an attacker read access to the underlying database and causes minor service disruption. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-52693 patched?

No fix version has been published by the upstream maintainer as of the publication date of this record. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released; customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Unauthenticated SQL Injection in eCommerce Product Catalog <= 3.5.5 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an unauthenticated SQL injection vulnerability in the eCommerce Product Catalog WordPress plugin (versions 3.5.5 and earlier). The flaw is reachable over the network and requires no login or user interaction, meaning any remote visitor can send a crafted request to a site running the affected plugin. Successful exploitation gives an attacker read access to the underlying database and causes minor service disruption. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-52693 is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against all customer images, including custom-built images that bundle this plugin. Coverage applies to images in both connected registries and active CI/CD pipelines.

Available

Triage

Triage is available with a CVSS v3.1 score of 9.3 (CRITICAL) applied to every matched image, weighted further by each customer organization's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within the customer org based on configured ownership rules.

Available

Patch

No fix version has been published by the upstream maintainer as of the publication date of this record. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released; customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress site via HTTP/HTTPS to send a malicious request.
AuthenticationNot required
No account or session credential of any kind is needed; the injection point is accessible to any unauthenticated HTTP request.
Victim interactionNot required
The attack is entirely server-side and requires no action from any user or administrator on the target site.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions, race conditions, or environmental requirements on the attacker.

Blast Radius

An attacker reads arbitrary rows from the WordPress database, including stored user credentials (hashed passwords), email addresses, order records, and any other data held in the database.
Because scope is changed (S:C in the CVSS vector), data accessible to the database user account running WordPress, which may span multiple schemas or tables beyond the WordPress installation itself, is exposed.
Integrity is not affected; the attacker cannot modify or delete database records through this vector.
Availability impact is low, meaning the injection queries can cause minor degradation or intermittent errors on the affected service under load.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-52693 is matched against customer images as soon as the advisory is ingested, covering any image that bundles the eCommerce Product Catalog plugin at version 3.5.5 or earlier. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically when the maintainer publishes a remediated version. For customers with auto-remediation enabled, that flow includes a regression-test run and a PR opened against affected workloads. While no patch is available, compensating controls worth considering include network-policy rules that restrict public HTTP access to sensitive WordPress admin or query endpoints, web application firewall rules targeting SQL injection patterns on plugin-specific parameters, and feature-flag or plugin-deactivation options within WordPress if the catalog functionality is non-critical. HarborGuard will surface the patch-available signal immediately upon upstream publication so the remediation window is as short as possible.

See how HarborGuard automates this

Affected packages

impleCode / eCommerce Product Catalog
≤ 3.5.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified