CVE-2026-3523
Received Received - Intake
SQL Injection in Apocalypse Meow Plugin Allows Data Extraction

Publication date: 2026-03-05

Last updated on: 2026-03-05

Assigner: Wordfence

Description
The Apocalypse Meow plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 22.1.0. This is due to a flawed logical operator in the type validation check on line 261 of ajax.php β€” the condition uses `&&` (AND) instead of `||` (OR), causing the `in_array()` validation to be short-circuited and never evaluated for any non-empty type value. Combined with `stripslashes_deep()` being called on line 101 which removes `wp_magic_quotes()` protection, attacker-controlled single quotes pass through unescaped into the SQL query on line 298. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3523
EUVD
EUVD-2026-9527
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
meow apocalypse_meow to 22.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Apocalypse Meow plugin for WordPress has a SQL Injection vulnerability in the 'type' parameter in all versions up to and including 22.1.0.

This happens because the validation logic for the 'type' parameter uses an AND (&&) operator instead of an OR (||), causing the in_array() check to be bypassed for any non-empty type value.

Additionally, the function stripslashes_deep() removes protections from wp_magic_quotes(), allowing attacker-controlled single quotes to pass unescaped into the SQL query.

As a result, authenticated users with Administrator-level access or higher can inject additional SQL queries into existing queries, potentially extracting sensitive information from the database.

Impact Analysis

This vulnerability allows authenticated administrators or higher to perform SQL Injection attacks.

Attackers can append malicious SQL queries to existing ones, which can lead to unauthorized extraction of sensitive data from the database.

Although the vulnerability requires high privileges (Administrator-level access), it can compromise the confidentiality of the database contents.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "The vulnerability involves SQL Injection via the 'type' parameter in the Apocalypse Meow WordPress plugin's ajax.php file. Detection would involve monitoring for suspicious SQL queries or anomalous AJAX requests targeting the 'type' parameter."}, {'type': 'paragraph', 'content': "While no explicit detection commands are provided, administrators can review login activity and AJAX requests related to the plugin using the plugin's built-in AJAX actions such as 'activity' and 'activity_csv' which log login events and bans."}, {'type': 'paragraph', 'content': "To detect suspicious activity, you could query the WordPress database table named with the prefix plus 'meow2_log' for unusual entries or unexpected SQL query patterns."}, {'type': 'paragraph', 'content': 'For example, using WP-CLI or direct database queries, you might run commands like:'}, {'type': 'list_item', 'content': "SELECT * FROM wp_meow2_log WHERE type LIKE '%sql_injection%' OR message LIKE '%type=%';"}, {'type': 'list_item', 'content': "Monitor AJAX requests to ajax.php with the 'type' parameter set to unusual or crafted values."}, {'type': 'list_item', 'content': 'Use WordPress AJAX hooks or plugin interfaces to export login activity CSVs and analyze them for anomalies.'}, {'type': 'paragraph', 'content': 'Note that the plugin requires administrator-level access to exploit, so monitoring admin AJAX activity and login attempts is critical.'}] [3, 4]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include updating the Apocalypse Meow plugin to a version later than 22.1.0 where the vulnerability is fixed.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires authenticated users with Administrator-level access, restricting and auditing administrator accounts and their access is critical.'}, {'type': 'paragraph', 'content': "Additionally, monitoring and managing login activity and bans using the plugin's enhanced admin interface and AJAX actions can help detect and prevent exploitation."}, {'type': 'paragraph', 'content': "If an update is not immediately possible, consider temporarily limiting administrator access and applying web application firewall (WAF) rules to block suspicious AJAX requests targeting the 'type' parameter in ajax.php."}, {'type': 'paragraph', 'content': "Resetting plugin settings to defaults and enforcing strong password policies via the plugin's retroactive password reset features can also reduce risk."}] [1, 3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3523. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart