CVE-2026-57683: WordPress WP Fast Total Search plugin <= 1.80.280 - SQL Injection vulnerability
Unauthenticated SQL Injection in WP Fast Total Search <= 1.80.280 versions.
Metrics
- CVSS v3.1
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated SQL injection vulnerability affects the WP Fast Total Search WordPress plugin at version 1.80.280 and earlier, developed by Epsiloncool. The vulnerability is reachable over the network and requires no authentication or user interaction, meaning any remote party with HTTP access to a WordPress site running the affected plugin can send a crafted request. Successful exploitation gives an attacker full read access to the WordPress database and limited ability to disrupt the service. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection capability for CVE-2026-57683 is available across every HarborGuard environment; the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines. This matching covers custom-built images that bundle WordPress and its plugins, not only images pulled from public registries.
AvailableHarborGuard scores this finding at CVSS 9.3 Critical (v3.1) and surfaces it with that severity weight applied against each customer environment's compliance policy. Routing rules in each org's HarborGuard configuration direct the alert to the appropriate team inbox based on image ownership and policy thresholds.
AvailableNo fix version has been published upstream for this CVE; HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Epsiloncool releases a remediated version of WP Fast Total Search. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will trigger without requiring manual intervention once a fix version is available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress site.
- AuthenticationNot required
No account or session credential of any kind is needed; the injection point is reachable by any unauthenticated HTTP request.
- Victim interactionNot required
The attack is fully server-side and requires no action from any user or administrator of the WordPress site.
- Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and repeatable without needing to meet special preconditions, win a race, or predict memory layout.
Blast Radius
- Reads any data stored in the WordPress database, including user credentials (hashed passwords), email addresses, session tokens, and any plugin or theme configuration data.
- Because the scope is Changed (S:C), data accessible to the database user beyond the WordPress schema may also be readable if the database account has broader grants.
- Causes limited availability disruption to the affected service, consistent with the CVSS A:L rating, such as slow queries or partial denial of search functionality.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix exists yet for CVE-2026-57683, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild the instant Epsiloncool publishes a remediated release. For customers who opt into auto-remediation, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads, with no manual steps required. While no patch is available, compensating controls worth considering include restricting public HTTP access to WordPress search endpoints via network policy or a web application firewall rule, and auditing database account permissions to limit what the WordPress DB user can read beyond the application schema. Where compliance policy permits, HarborGuard can flag images containing WP Fast Total Search 1.80.280 or earlier as non-compliant in any pipeline gate, blocking promotion to production until a fixed version is confirmed present.
- Epsiloncool / WP Fast Total Search≤ 1.80.280
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L