Imechapishwa: Mar 27, 2026 10:40
Advisory No: TZCERT-SA-26-0138
Source: CVE Database / WP-Firewall
Software Affected: PublishPress Revisions WordPress plugin, versions up to and including 3.7.23
A critical SQL Injection vulnerability (CVE-2026-32539) has been identified in the PublishPress Revisions WordPress plugin, affecting all versions up to and including 3.7.23. Disclosed on March 22, 2026, this vulnerability carries a CVSS score of 9.3 and allows unauthenticated attackers to inject SQL code directly into the plugin's database queries, potentially exposing or corrupting the entire WordPress database.
CVE-2026-32539 is a critical SQL Injection vulnerability (CVSS score 9.3) in the PublishPress Revisions plugin for WordPress, affecting versions up to and including 3.7.23. The plugin fails to properly neutralize special elements in SQL commands, allowing an attacker to inject malicious SQL syntax into database queries. Since the vulnerability is exploitable without authentication, any remote attacker can craft malicious HTTP requests targeting the plugin's vulnerable endpoints to manipulate database queries. This could enable the attacker to extract sensitive data from the database (including user credentials and configuration data), modify or delete database content, or in some configurations escalate to further server-level compromise. A patch has been released in version 3.7.24.
Successful exploitation of this vulnerability allows a remote unauthenticated attacker to access, modify, or delete data within the WordPress database, potentially exposing user credentials, sensitive site content, and configuration data, and may facilitate further escalation of privileges on the affected server.
Update PublishPress Revisions to version 3.7.24 or later immediately. If an immediate update is not possible, disable the plugin and apply WAF rules to block SQL injection patterns targeting plugin endpoints. Rotate admin passwords and API keys if compromise is suspected, and take a complete backup of the database and filesystem for forensic purposes.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.
