Description
The Apocalypse Meow plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 22.1.0. This is due to a flawed logical operator in the type validation check on line 261 of ajax.php — the condition uses `&&` (AND) instead of `||` (OR), causing the `in_array()` validation to be short-circuited and never evaluated for any non-empty type value. Combined with `stripslashes_deep()` being called on line 101 which removes `wp_magic_quotes()` protection, attacker-controlled single quotes pass through unescaped into the SQL query on line 298. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Problem types
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Product status
* (semver)
Timeline
| 2026-03-04: | Disclosed |
Credits
Louis Deschanel
References
www.wordfence.com/...-23e9-41d2-bbcd-15b0610b6538?source=cve
plugins.trac.wordpress.org/...lib/blobfolio/wp/meow/ajax.php
plugins.trac.wordpress.org/...lib/blobfolio/wp/meow/ajax.php
plugins.trac.wordpress.org/...lib/blobfolio/wp/meow/ajax.php
plugins.trac.wordpress.org/...lib/blobfolio/wp/meow/ajax.php
plugins.trac.wordpress.org/...lib/blobfolio/wp/meow/ajax.php
plugins.trac.wordpress.org/...lib/blobfolio/wp/meow/ajax.php
plugins.trac.wordpress.org/...lib/blobfolio/wp/meow/ajax.php
plugins.trac.wordpress.org/...lib/blobfolio/wp/meow/ajax.php
plugins.trac.wordpress.org/...pse-meow&sfp_email=&sfph_mail=