HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-57683Published Modified CNA Patchstack

CVE-2026-57683: WordPress WP Fast Total Search plugin <= 1.80.280 - SQL Injection vulnerability

Unauthenticated SQL Injection in WP Fast Total Search <= 1.80.280 versions.

Metrics

CVSS v3.1
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unauthenticated SQL injection vulnerability affects the WP Fast Total Search WordPress plugin at version 1.80.280 and earlier, developed by Epsiloncool. The vulnerability is reachable over the network and requires no authentication or user interaction, meaning any remote party with HTTP access to a WordPress site running the affected plugin can send a crafted request. Successful exploitation gives an attacker full read access to the WordPress database and limited ability to disrupt the service. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-57683 is available across every HarborGuard environment; the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines. This matching covers custom-built images that bundle WordPress and its plugins, not only images pulled from public registries.

Available
Triage

HarborGuard scores this finding at CVSS 9.3 Critical (v3.1) and surfaces it with that severity weight applied against each customer environment's compliance policy. Routing rules in each org's HarborGuard configuration direct the alert to the appropriate team inbox based on image ownership and policy thresholds.

Available
Patch

No fix version has been published upstream for this CVE; HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Epsiloncool releases a remediated version of WP Fast Total Search. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will trigger without requiring manual intervention once a fix version is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress site.

  • AuthenticationNot required

    No account or session credential of any kind is needed; the injection point is reachable by any unauthenticated HTTP request.

  • Victim interactionNot required

    The attack is fully server-side and requires no action from any user or administrator of the WordPress site.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and repeatable without needing to meet special preconditions, win a race, or predict memory layout.

Blast Radius

  • Reads any data stored in the WordPress database, including user credentials (hashed passwords), email addresses, session tokens, and any plugin or theme configuration data.
  • Because the scope is Changed (S:C), data accessible to the database user beyond the WordPress schema may also be readable if the database account has broader grants.
  • Causes limited availability disruption to the affected service, consistent with the CVSS A:L rating, such as slow queries or partial denial of search functionality.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists yet for CVE-2026-57683, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild the instant Epsiloncool publishes a remediated release. For customers who opt into auto-remediation, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads, with no manual steps required. While no patch is available, compensating controls worth considering include restricting public HTTP access to WordPress search endpoints via network policy or a web application firewall rule, and auditing database account permissions to limit what the WordPress DB user can read beyond the application schema. Where compliance policy permits, HarborGuard can flag images containing WP Fast Total Search 1.80.280 or earlier as non-compliant in any pipeline gate, blocking promotion to production until a fixed version is confirmed present.

See how HarborGuard automates this
Affected packages
  • Epsiloncool / WP Fast Total Search
    ≤ 1.80.280
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
References