{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32365", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:10:53.774Z", "datePublished": "2026-03-13T11:42:05.684Z", "dateUpdated": "2026-04-29T09:51:57.856Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "collapsing-archives", "product": "Collapsing Archives", "vendor": "robfelty", "versions": [{"changes": [{"at": "3.0.8", "status": "unaffected"}], "lessThanOrEqual": "3.0.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Doan Dinh Van | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:49.309Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in robfelty Collapsing Archives collapsing-archives allows Blind SQL Injection.<p>This issue affects Collapsing Archives: from n/a through <= 3.0.7.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in robfelty Collapsing Archives collapsing-archives allows Blind SQL Injection.This issue affects Collapsing Archives: from n/a through <= 3.0.7."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:57.856Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/collapsing-archives/vulnerability/wordpress-collapsing-archives-plugin-3-0-7-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Collapsing Archives plugin <= 3.0.7 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T14:50:29.117472Z", "id": "CVE-2026-32365", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T14:50:50.136Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32365", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T14:50:29.117472Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T14:49:17.721Z"}}], "cna": {"title": "WordPress Collapsing Archives plugin <= 3.0.7 - SQL Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Doan Dinh Van | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "affected": [{"vendor": "robfelty", "product": "Collapsing Archives", "versions": [{"status": "affected", "changes": [{"at": "3.0.8", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 3.0.7"}], "packageName": "collapsing-archives", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-13T12:41:29.318Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/collapsing-archives/vulnerability/wordpress-collapsing-archives-plugin-3-0-7-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in robfelty Collapsing Archives collapsing-archives allows Blind SQL Injection.This issue affects Collapsing Archives: from n/a through <= 3.0.7.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in robfelty Collapsing Archives collapsing-archives allows Blind SQL Injection.<p>This issue affects Collapsing Archives: from n/a through <= 3.0.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-13T11:42:05.684Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32365", "state": "PUBLISHED", "dateUpdated": "2026-03-16T14:50:50.136Z", "dateReserved": "2026-03-12T11:10:53.774Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-13T11:42:05.684Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in robfelty Collapsing Archives collapsing-archives allows Blind SQL Injection.This issue affects Collapsing Archives: from n/a through <= 3.0.7."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de Elementos Especiales utilizados en un Comando SQL ('Inyecci\u00f3n SQL') vulnerabilidad en robfelty Collapsing Archives collapsing-archives permite Inyecci\u00f3n SQL Ciega. Este problema afecta a Collapsing Archives: desde n/a hasta &lt;= 3.0.7."}], "id": "CVE-2026-32365", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:54:50.580", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/collapsing-archives/vulnerability/wordpress-collapsing-archives-plugin-3-0-7-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.0.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Collapsing Archives", "source": "cna", "vendor": "robfelty"}, "product": "collapsing_archives", "vendor": "robfelty"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-17T16:13:26.959580+00:00", "value": {"mitigation_remediation": ["Update the Collapsing Archives plugin to a version newer than 3.0.7, following the vendor\u2019s release schedule. If a newer version is unavailable, disable or remove the plugin entirely to eliminate the attack surface."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "The affected product is the WordPress Collapsing Archives plugin (robfelty:Collapsing Archives). All versions from the initial release through version 3.0.7 are vulnerable. No specific sub\u2011versions are excluded in the vendor's advisory.", "description_and_impact": "The vulnerability is an Improper Neutralization of Special Elements used in an SQL Command, classified as CWE-89. This flaw allows a blind SQL Injection that can be exploited to read, modify, or delete data stored in the database. The lack of proper input sanitization means that an attacker can construct malicious queries to extract sensitive information or manipulate content within the WordPress database, potentially compromising confidentiality and data integrity.", "risk_and_exploitability": "The CVSS score of 8.5 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Although the description does not explicitly state the attack vector, the plugin is publicly accessible through a WordPress site, so the likely attack vector is remote unauthenticated exploitation via crafted requests to the plugin\u2019s endpoints. Once exploited, an attacker can perform blind queries to glean or alter database contents."}}}}, "created": "2026-03-16T09:34:42.908415+00:00", "updated": "2026-03-23T09:58:52.621553+00:00", "vendors": ["robfelty", "robfelty$PRODUCT$collapsing_archives", "wordpress", "wordpress$PRODUCT$wordpress"]}