CVE-2026-56036: WordPress 워드프레스 결제 심플페이 plugin <= 5.5.6 - SQL Injection vulnerability

Synopsis

An unauthenticated SQL injection vulnerability affects the WordPress plugin 워드프레스 결제 심플페이 (WordPress Payment SimplePay by codemstory) at version 5.5.6 and earlier. The flaw is reachable over the network with no credentials required, making it exploitable by any party that can send HTTP requests to a WordPress site running the plugin. Successful exploitation gives an attacker read access to the underlying database and causes limited disruption to service availability. No fix version has been published yet; HarborGuard is tracking the advisory and will surface a patched rebuild as soon as upstream ships one.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityRequired

  The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress site to reach it.

• AuthenticationNot required

  No account or session token of any kind is needed; the injection point is accessible to unauthenticated requests.

• Victim interactionNot required

  The attacker sends crafted requests directly to the server; no user action or social-engineering step is required.

• Attack complexityDetail

  Exploit conditions are straightforward and reliable, with no race conditions, special configurations, or environmental factors required to trigger the injection.

Blast Radius

• An attacker reads arbitrary rows from the WordPress database, including stored user credentials, session tokens, private post content, and plugin configuration data.
• Database contents from other applications sharing the same database server may be accessible depending on the MySQL user's granted privileges, because the CVSS scope is marked Changed.
• The affected service experiences limited availability impact, meaning targeted queries or repeated exploitation may degrade database responsiveness for legitimate users.