How is CVE-2026-54811 exploited?

Network reachability (required): The attacker must be able to reach the WordPress installation over the network; no local or physical access is needed. Authentication (not-required): No account or session credentials of any kind are needed to trigger the injection. Victim interaction (not-required): The attacker sends a crafted HTTP request directly; no user action or social engineering is involved. Attack complexity (info): Exploitation is reliable and condition-free, requiring no race conditions, specific memory layout, or environmental setup beyond network access.

What is the impact of CVE-2026-54811?

Reads stored database content, including user credentials, membership records, email addresses, and any other data held in the WordPress database. The scope impact is changed (S:C), meaning data readable by the database user can extend beyond the WordPress application itself to other schemas or tables the DB account can access. Causes limited disruption to service availability, consistent with the A:L rating; the database or application may become partially degraded under exploit conditions.

Back to search

CRITICALCVE-2026-54811Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-54811: WordPress WP eMember plugin < v10.9.4 - SQL Injection vulnerability

Q: What is CVE-2026-54811?

An unauthenticated SQL injection vulnerability affects the WordPress WP eMember plugin in versions before v10.9.4. The flaw is reachable over the network with no authentication or user interaction required, making it trivially exploitable by any remote attacker who can reach the WordPress installation. Successful exploitation gives an attacker direct read access to the underlying database and limited ability to disrupt service availability. A patched-image rebuild at v10.9.4 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-54811 fixed?

A patched-image rebuild at WP eMember v10.9.4 is available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in those environments.

Unauthenticated SQL Injection in WP eMember < v10.9.4 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: v10.9.4
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated SQL injection vulnerability affects the WordPress WP eMember plugin in versions before v10.9.4. The flaw is reachable over the network with no authentication or user interaction required, making it trivially exploitable by any remote attacker who can reach the WordPress installation. Successful exploitation gives an attacker direct read access to the underlying database and limited ability to disrupt service availability. A patched-image rebuild at v10.9.4 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-54811 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds (including Patchstack) within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the WP eMember plugin. Any image layer containing a WP eMember version below v10.9.4 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 9.3 CRITICAL using the published CVSS v3.1 vector and weights it further against each customer environment's compliance policy, escalating findings in internet-facing or PCI-scoped namespaces accordingly. Routed alerts are delivered to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at WP eMember v10.9.4 is available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in those environments.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the WordPress installation over the network; no local or physical access is needed.
AuthenticationNot required
No account or session credentials of any kind are needed to trigger the injection.
Victim interactionNot required
The attacker sends a crafted HTTP request directly; no user action or social engineering is involved.
Attack complexityDetail
Exploitation is reliable and condition-free, requiring no race conditions, specific memory layout, or environmental setup beyond network access.

Blast Radius

Reads stored database content, including user credentials, membership records, email addresses, and any other data held in the WordPress database.
The scope impact is changed (S:C), meaning data readable by the database user can extend beyond the WordPress application itself to other schemas or tables the DB account can access.
Causes limited disruption to service availability, consistent with the A:L rating; the database or application may become partially degraded under exploit conditions.

How HarborGuard Handles This

Available on HarborGuard: images containing WP eMember below v10.9.4 are detected automatically upon ingest, scored at 9.3 CRITICAL, and surfaced to the relevant team inbox. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at v10.9.4, runs regression tests, and opens a pull request against the affected workload, with a median time to merged patch PR of around 90 minutes for critical-severity findings. For environments where auto-remediation is not enabled, the finding is queued as a high-priority action item. Until the patched image is deployed, compensating controls worth considering include restricting public HTTP access to the WordPress installation via network policy, placing the site behind an authenticated reverse proxy or WAF rule targeting anomalous SQL syntax in query parameters, and auditing database account permissions to limit the blast radius of any successful injection.

See how HarborGuard automates this

Fix available

v10.9.4

Affected packages

Tips and Tricks HQ / WP eMember
< v10.9.4 (from n/a)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available