WordPress Plugin Vulnerabilities

Library Management System < 3.5.8 - Unauthenticated SQL Injection via book_id

Description

The plugin does not sanitize and escape a user-supplied parameter before using it in a SQL statement, allowing unauthenticated attackers to perform SQL injection and extract arbitrary data from the database, including user password hashes.

Proof of Concept

Affects Plugins

References

Classification

Type
SQLI
OWASP top 10
CWE
CVSS

Miscellaneous

Original Researcher
João Ramos Maciel
Submitter
João Ramos Maciel
Submitter website
Verified
Yes

Timeline

Publicly Published
2026-06-22 (about 24 days ago)
Added
2026-06-22 (about 23 days ago)
Last Updated
2026-07-10 (about 5 days ago)

Other