Home

Description

The Library Management System WordPress plugin before 3.5.8 does not sanitize and escape a user-supplied parameter before using it in a SQL statement, allowing unauthenticated attackers to perform SQL injection and extract arbitrary data from the database, including user password hashes.

PUBLISHED Reserved 2026-06-18 | Published 2026-07-13 | Updated 2026-07-13 | Assigner WPScan

Problem types

CWE-89 SQL Injection

Product status

Default status
unaffected

3.5 (semver) before 3.5.8
affected

Credits

João Ramos Maciel finder

WPScan coordinator

References

wpscan.com/...rability/762dd8c3-8972-46ef-90c2-9f3f5dce4370/ exploit vdb-entry technical-description

cve.org (CVE-2026-12582)

nvd.nist.gov (CVE-2026-12582)

Download JSON