CVE-2026-52712: WordPress Attendance Manager plugin <= 0.6.2 - SQL Injection vulnerability
Subscriber SQL Injection in Attendance Manager <= 0.6.2 versions.
Metrics
- CVSS v3.1
- 7.6
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
SQL injection vulnerability in the Attendance Manager WordPress plugin affects all versions up to and including 0.6.2. The flaw is reachable over the network and requires a low-privilege (subscriber-level) account plus a victim interaction step to trigger. Successful exploitation gives an attacker read access to sensitive database contents and can cause limited disruption to availability. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built WordPress images that bundle the Attendance Manager plugin.
AvailableHarborGuard scores this finding at CVSS 7.6 HIGH and can weight it further against each customer organization's compliance policy before routing the alert to the appropriate team inbox.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the vendor ships a corrected release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the WordPress installation via HTTP/HTTPS.
- AuthenticationRequired
A low-privilege subscriber-level account is sufficient; no administrative credentials are needed.
- Victim interactionRequired
A victim (typically an authenticated user) must perform an action, such as following a crafted link, for the injection to be triggered.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental configurations.
Blast Radius
- Reads sensitive data from the WordPress database, including user records, session tokens, and any data stored by other installed plugins.
- Causes limited availability impact by disrupting query execution, which can slow or crash specific database-backed pages.
How HarborGuard Handles This
Available on HarborGuard: this CVE is monitored continuously with no action required from customers to enable detection. Because no patched version of the Attendance Manager plugin exists yet, HarborGuard will flag every image found to include the affected plugin version (0.6.2 or earlier) and re-evaluate the advisory on each ingest cycle. Where compliance policy permits, compensating controls can be applied in the interim: network-policy rules that restrict unauthenticated and low-privilege access paths to the affected endpoints, egress filtering to limit what a successful attacker can exfiltrate from the database host, and feature-flag or role-based gating to disable the vulnerable functionality until a patch is available. The moment an upstream fix is published, a patched-image rebuild becomes available on HarborGuard, and customers with auto-remediation enabled will receive an automatic rebuild, regression test run, and a PR opened against affected workloads.
- tnomi / Attendance Manager≤ 0.6.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:L