CVE-2026-12582
Received Received - Intake

SQL Injection in WordPress Library Management System Plugin

Vulnerability report for CVE-2026-12582, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: WPScan

Description

The Library Management System WordPress plugin before 3.5.8 does not sanitize and escape a user-supplied parameter before using it in a SQL statement, allowing unauthenticated attackers to perform SQL injection and extract arbitrary data from the database, including user password hashes.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
library_management_system library_management_system to 3.5.8 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to perform SQL injection and extract sensitive data from the database, including user password hashes.

This exposure of sensitive user data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access.

Failure to protect such data could result in violations of these standards, potentially leading to legal penalties, reputational damage, and the need for breach notifications.

Executive Summary

The Library Management System plugin for WordPress, before version 3.5.8, contains an unauthenticated SQL injection vulnerability. This occurs because the plugin does not properly sanitize and escape a user-supplied parameter named book_id before using it in a SQL query.

As a result, attackers can inject malicious SQL code without needing to authenticate, allowing them to extract sensitive data from the database, including user password hashes.

Impact Analysis

This vulnerability can have severe impacts as it allows unauthenticated attackers to perform SQL injection attacks on the database.

  • Attackers can extract arbitrary sensitive data from the database.
  • User password hashes can be stolen, potentially leading to account compromise.
  • The integrity and confidentiality of the database and user information are at risk.
Detection Guidance

This vulnerability involves an unauthenticated SQL injection in the Library Management System WordPress plugin prior to version 3.5.8, specifically through the unsanitized user-supplied parameter named book_id.

To detect this vulnerability on your system, you can check the version of the Library Management System plugin installed on your WordPress site. If it is older than 3.5.8, it is vulnerable.

Additionally, you can monitor network traffic or web server logs for suspicious requests that include SQL injection patterns targeting the book_id parameter.

While no specific commands are provided in the resources, common detection methods include using web vulnerability scanners that test for SQL injection on the book_id parameter or manually sending crafted HTTP requests to the plugin endpoints to observe if SQL errors or unexpected data are returned.

Mitigation Strategies

The immediate and recommended mitigation step is to update the Library Management System WordPress plugin to version 3.5.8 or later, where the vulnerability has been fixed.

Until the update can be applied, consider restricting access to the vulnerable plugin endpoints or implementing web application firewall (WAF) rules to block suspicious requests targeting the book_id parameter.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12582. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart