CVE-2026-56070: WordPress Advance Product Search plugin <= 1.4.4 - SQL Injection vulnerability
Unauthenticated SQL Injection in Advance Product Search <= 1.4.4 versions.
Metrics
- CVSS v3.1
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is an unauthenticated SQL injection vulnerability in the Advance Product Search WordPress plugin by ThemeHunk, affecting all versions up to and including 1.4.4. The flaw is reachable over the network with no account or authentication required, making it trivially accessible to any remote attacker. Successful exploitation allows an attacker to read data from the underlying database and cause limited disruption to service availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection capability for CVE-2026-56070 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication via continuous ingestion from upstream advisory feeds including Patchstack. Custom-built images containing the affected plugin package are covered by the same matching pipeline.
AvailableHarborGuard is capable of scoring this CVE at 9.3 CRITICAL (CVSS v3.1) within each customer environment, with per-environment compliance policy weighting applied to route alerts to the appropriate team inbox inside each customer org.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated version of the plugin is released. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable search endpoint is exposed over the network and must be reachable by the attacker to send a malicious SQL payload.
- AuthenticationNot required
No account or session token is needed; the injection point is accessible to any anonymous HTTP request.
- Victim interactionNot required
The attacker sends requests directly to the service and no user action is required to trigger the vulnerability.
- Attack complexityDetail
Exploit conditions are straightforward and reliable with no race conditions or environmental dependencies required.
Blast Radius
- Attacker reads arbitrary rows from the WordPress database, including user credentials, email addresses, and stored session tokens.
- Database contents such as order records, product data, and any custom post meta stored in the site are exposed to exfiltration.
- The A:L impact token indicates the attacker can degrade availability of the search feature or cause partial service disruption through malformed queries.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix exists for CVE-2026-56070 as of publication, the platform monitors the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment a fixed version of the Advance Product Search plugin is released. In the interim, compensating controls are worth considering: network-policy rules that restrict public exposure of the WordPress search endpoint, web application firewall rules targeting SQL metacharacter patterns in search parameters, and egress filtering to limit what data an attacker could exfiltrate even if injection succeeds. For customers who opt into auto-remediation, the rebuild plus regression run and PR against affected workloads will fire without manual intervention once the upstream patch ships. Customers managing compliance policy manually should track the advisory status directly in the HarborGuard dashboard, where the CVE will be flagged as unpatched until upstream remediation is confirmed.
- ThemeHunk / Advance Product Search≤ 1.4.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L