External risk intelligence

WP Data Access Unauthenticated SQL Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-42665

An unauthenticated SQL injection vulnerability exists in the WP Data Access plugin, potentially allowing attackers to execute malicious SQL commands. This could lead to unauthorized access to sensitive data or disruption of database operations if the plugin is used in relevant configurations. It is important to determi

4Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-42665

The vulnerability affects a WordPress plugin, which is a type of web application component commonly deployed as a public-facing web endpoint. Because WordPress sites are frequently exposed to the internet to serve content or handle user interactions, the vulnerable code path is likely to be reachable by external users.

PCI scan relevance

PCI Relevance for CVE-2026-42665

Yes

CVE-2026-42665 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This SQL injection vulnerability impacts WP Data Access and is critical, likely causing a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a critical vulnerability in a WordPress data access plugin that could allow unauthenticated attackers to inject malicious SQL commands. Such an attack could potentially expose sensitive data or disrupt operations, depending on the specific configurations and the data managed by the plugin. The primary concern is to confirm if this specific plugin is in use and, if so, what data it accesses.

  • Unauthenticated attackers can inject harmful SQL commands.
  • Confirms if this plugin is in use and what data it accesses.
  • Assess exposure and confirm relevance to our systems.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could target the WP Data Access plugin on a WordPress website. By sending specially crafted requests, an attacker could inject malicious SQL code, potentially leading to unauthorized access to sensitive data or disruption of database operations.

  • No authentication required.
  • SQL injection via crafted requests.
  • Data exposure or manipulation risk.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated SQL injection vulnerability in WP Data Access could allow an attacker to execute arbitrary SQL commands. This could potentially expose sensitive database information or disrupt service when the plugin is used in supported configurations that interact with a database.

  • Database information could be exposed.
  • Unauthenticated network access can trigger.
  • Potential for data leakage or service disruption.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical SQL injection vulnerability in WP Data Access likely impacts website owners and their associated platform or infrastructure teams. The first step should be to identify all instances of WP Data Access across your web presence, confirm if any are exposed to the internet or handle sensitive data, and then locate the accountable application owner to plan remediation.

  • Application owners must manage the issue.
  • Verify internet-facing, business-critical instances first.
  • Plan remediation with vendor or platform teams.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the WP Data Access plugin?

WP Data Access is a WordPress plugin designed to help users manage, display, and interact with database tables directly within the WordPress dashboard. It is commonly used to create data-driven applications or manage custom content without extensive coding. By providing an interface for database operations, it acts as a bridge between the website's front end and its underlying database management system.

How does CVE-2026-42665 work?

This vulnerability is an SQL Injection (CWE-89). It occurs when the plugin fails to properly clean or validate input from a user before using it in a database query. Because of this weakness, an attacker can input specially crafted commands that the database interprets as instructions. This effectively tricks the plugin into performing unintended actions, such as revealing private database contents or interfering with normal operations.

Do I need to be logged in for this to happen?

No. This vulnerability is classified as unauthenticated, meaning an attacker does not need an account or special permissions on your WordPress site to attempt the attack. Simply sending a malicious request to the web server can trigger the flaw. However, if the plugin is not installed, or if the specific feature containing the vulnerable code path is disabled or not in use, the request will not trigger the bug.

Is my website at risk if it is public-facing?

Yes, public-facing instances are at higher risk. According to Halo Surface Signal, because WordPress sites are typically exposed to the internet to serve content, this plugin is often reachable by external users. If your installation is accessible via the web, it is considered a potential entry point for this vulnerability, making it more relevant to verify your current software version compared to isolated internal systems.

When should I take action for this CVE?

You should act immediately by auditing your web environment to locate all instances of the WP Data Access plugin. Since this is a critical issue, start by identifying which instances are internet-facing or connected to sensitive data repositories. Once identified, coordinate with your application owners to plan for the removal of the vulnerable component or the application of vendor-provided updates to mitigate the risk of unauthorized database access.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished