CVE-2026-32539
Blind SQL Injection in PublishPress Revisions
Publication date: 2026-03-25
Last updated on: 2026-03-25
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| publishpress | publishpress_revisions | to 3.7.23 (inc) |
| publishpress | revisionary | to 3.7.23 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32539 is a high-priority SQL Injection vulnerability found in the WordPress PublishPress Revisions Plugin versions up to and including 3.7.23.
This vulnerability allows unauthenticated attackers to interact directly with the websiteβs database by injecting malicious SQL commands.
It is classified under OWASP Top 10 A3: Injection and has a critical CVSS severity score of 9.3.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to your websiteβs database by attackers without needing any privileges.
Potential impacts include data theft, data manipulation, and unauthorized control over sensitive information stored in the database.
Because of its critical severity and ease of exploitation, it poses a significant risk to website security and data integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-32539 vulnerability immediately, users should update the WordPress PublishPress Revisions Plugin to version 3.7.24 or later.
Until the plugin is updated, it is recommended to use Patchstack's automatic mitigation rules which can block attacks targeting this vulnerability.
Patchstack also offers auto-update features for vulnerable plugins to help ensure rapid protection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-32539 vulnerability allows unauthenticated attackers to perform SQL Injection attacks, potentially leading to unauthorized access, theft, or manipulation of sensitive data stored in the affected WordPress PublishPress Revisions Plugin databases.
Such unauthorized data access and manipulation can result in violations of data protection regulations and standards like GDPR and HIPAA, which require the safeguarding of personal and sensitive information against unauthorized disclosure or alteration.
Therefore, if exploited, this vulnerability could compromise compliance with these regulations by exposing or altering protected data without proper authorization.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Blind SQL Injection in the WordPress PublishPress Revisions Plugin versions up to 3.7.23, allowing unauthenticated attackers to interact with the database.
To detect this vulnerability on your system, you should first verify the plugin version installed on your WordPress site. If the version is 3.7.23 or earlier, the site is vulnerable.
You can check the plugin version by running the following command in the WordPress installation directory:
- grep 'Version' wp-content/plugins/publishpress-revisions/readme.txt
Alternatively, you can check the plugin version via WP-CLI with this command:
- wp plugin get publishpress-revisions --field=version
For network detection, monitoring HTTP requests for suspicious SQL injection patterns targeting the PublishPress Revisions plugin endpoints can help identify exploitation attempts.
Patchstack provides automatic mitigation rules that can be deployed to block attacks targeting this vulnerability until the plugin is updated.
The recommended action is to update the plugin to version 3.7.24 or later to eliminate the vulnerability.