CVE-2026-56062: WordPress Quotes llama plugin <= 3.1.5 - SQL Injection vulnerability
Unauthenticated SQL Injection in Quotes llama <= 3.1.5 versions.
Metrics
- CVSS v3.1
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is an unauthenticated SQL injection vulnerability in the Quotes llama WordPress plugin, affecting versions 3.1.5 and below. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable by any remote attacker. Successful exploitation gives an attacker read access to the underlying database and can cause minor service disruption. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built WordPress images that bundle the Quotes llama plugin.
AvailableHarborGuard surfaces this CVE with its CVSS v3.1 score of 9.3 (Critical), weighted further against each customer organization's per-environment compliance policy, and routes the finding to the appropriate team inbox based on configured ownership rules.
AvailableNo fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress instance via HTTP/HTTPS.
- AuthenticationNot required
No account or session credential of any kind is needed to trigger the SQL injection.
- Victim interactionNot required
The attacker sends a crafted HTTP request directly to the plugin; no user action or social engineering is involved.
- Attack complexityDetail
Exploitation is reliable and condition-free: no race conditions, memory layout dependencies, or special environmental configuration are required.
Blast Radius
- An attacker reads arbitrary rows from the WordPress database, including stored user credentials (hashed passwords), email addresses, session tokens, and plugin configuration data.
- Because the scope is changed (S:C in the CVSS vector), data accessible to the database user may extend beyond the WordPress installation itself, potentially including other databases on the same server.
- Availability impact is rated Low: the injected queries can degrade database performance or cause intermittent errors for legitimate site visitors.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix exists yet, HarborGuard continuously monitors the Patchstack advisory and associated upstream repository on every ingest cycle. In the meantime, customers can apply compensating controls through HarborGuard's network-policy tooling: isolating the WordPress container from unnecessary inbound routes, applying egress filtering to prevent data exfiltration if injection succeeds, and flagging any image bundling Quotes llama 3.1.5 or below for immediate review. The moment an upstream patch is published, a patched-image rebuild will become available; for customers with auto-remediation enabled, this triggers an automatic rebuild, regression-test run, and PR opened against affected workloads, with a median time from CVE patch publication to merged PR of around 90 minutes for Critical-severity issues.
- oooorgle / Quotes llama≤ 3.1.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L