WordPress Plugin Vulnerabilities
Library Management System < 3.5.8 - Unauthenticated SQL Injection via book_id
Description
The plugin does not sanitize and escape a user-supplied parameter before using it in a SQL statement, allowing unauthenticated attackers to perform SQL injection and extract arbitrary data from the database, including user password hashes.
Proof of Concept
Affects Plugins
References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
João Ramos Maciel
Submitter
João Ramos Maciel
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2026-06-22 (about 24 days ago)
Added
2026-06-22 (about 23 days ago)
Last Updated
2026-07-10 (about 5 days ago)