How is CVE-2026-54812 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress site via standard HTTP/HTTPS to exploit this flaw. Authentication (not-required): No account or credentials are needed; the injection point is accessible to unauthenticated requests. Victim interaction (not-required): The attacker sends crafted requests directly to the server and does not need any user to click a link or take any action. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special preconditions, race conditions, or environmental factors to trigger.

What is the impact of CVE-2026-54812?

An attacker can extract the full contents of the WordPress database using blind SQL injection techniques, including user credentials, password hashes, email addresses, and any stored customer or transactional records. Database confidentiality is fully compromised: all rows and columns accessible to the database user running WordPress are readable by the attacker. The vulnerability carries a low availability impact, meaning the attacker can cause limited, intermittent disruption to the database or the WordPress site through malformed queries. The scope token is Changed (S:C), indicating the impact can extend beyond the WordPress application itself to other components sharing the same database server.

Back to search

CRITICALCVE-2026-54812Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-54812: WordPress Motors plugin <= 1.4.109 - SQL Injection vulnerability

Q: What is CVE-2026-54812?

A SQL injection vulnerability affects the Motors WordPress plugin by StylemixThemes, versions 1.4.109 and earlier. The flaw is reachable over the network without any authentication or user interaction, making it exploitable by any external attacker who can reach the WordPress site. Successful exploitation enables blind SQL injection, giving an attacker read access to the underlying database contents and limited ability to disrupt service availability. No fix version has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment upstream ships a fix.

Q: Is CVE-2026-54812 patched?

Because no fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the meantime, customers can apply compensating controls through HarborGuard's network-policy recommendations to reduce exposure.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Motors allows Blind SQL Injection. This issue affects Motors: from n/a through 1.4.109.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A SQL injection vulnerability affects the Motors WordPress plugin by StylemixThemes, versions 1.4.109 and earlier. The flaw is reachable over the network without any authentication or user interaction, making it exploitable by any external attacker who can reach the WordPress site. Successful exploitation enables blind SQL injection, giving an attacker read access to the underlying database contents and limited ability to disrupt service availability. No fix version has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built WordPress images bundling the Motors plugin.

Available

Triage

HarborGuard scores this CVE at CVSS 9.3 Critical (v3.1) and applies each customer organization's compliance policy weighting to determine urgency, then routes the finding to the appropriate team inbox within that environment.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the meantime, customers can apply compensating controls through HarborGuard's network-policy recommendations to reduce exposure.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress site via standard HTTP/HTTPS to exploit this flaw.
AuthenticationNot required
No account or credentials are needed; the injection point is accessible to unauthenticated requests.
Victim interactionNot required
The attacker sends crafted requests directly to the server and does not need any user to click a link or take any action.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special preconditions, race conditions, or environmental factors to trigger.

Blast Radius

An attacker can extract the full contents of the WordPress database using blind SQL injection techniques, including user credentials, password hashes, email addresses, and any stored customer or transactional records.
Database confidentiality is fully compromised: all rows and columns accessible to the database user running WordPress are readable by the attacker.
The vulnerability carries a low availability impact, meaning the attacker can cause limited, intermittent disruption to the database or the WordPress site through malformed queries.
The scope token is Changed (S:C), indicating the impact can extend beyond the WordPress application itself to other components sharing the same database server.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-54812, HarborGuard monitors the Patchstack advisory on every ingest cycle and will automatically queue a patched-image rebuild the moment StylemixThemes releases a remediated version of the Motors plugin. Until then, customers can use HarborGuard's network-policy isolation recommendations to restrict public access to affected WordPress deployments, apply egress filtering at the container level to limit what the database connection can reach, and flag any image bundling Motors <= 1.4.109 as a policy violation requiring sign-off before promotion to production. For customers with auto-remediation enabled, the patched rebuild plus regression run and PR against affected workloads will trigger automatically once the fix version is ingested, with a typical median time from CVE publication to merged patch PR of around 90 minutes for critical-severity issues.

See how HarborGuard automates this

Affected packages

StylemixThemes / Motors
≤ 1.4.109

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified