{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32418", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:11:26.570Z", "datePublished": "2026-03-13T11:42:15.769Z", "dateUpdated": "2026-04-29T09:51:59.016Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "meow-gallery", "product": "Meow Gallery", "vendor": "Jordy Meow", "versions": [{"changes": [{"at": "5.4.5", "status": "unaffected"}], "lessThanOrEqual": "5.4.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:06:14.831Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jordy Meow Meow Gallery meow-gallery allows Blind SQL Injection.<p>This issue affects Meow Gallery: from n/a through <= 5.4.4.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jordy Meow Meow Gallery meow-gallery allows Blind SQL Injection.This issue affects Meow Gallery: from n/a through <= 5.4.4."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:59.016Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/meow-gallery/vulnerability/wordpress-meow-gallery-plugin-5-4-4-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Meow Gallery plugin <= 5.4.4 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T18:14:40.893582Z", "id": "CVE-2026-32418", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T18:15:07.795Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32418", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T18:14:40.893582Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T18:13:39.885Z"}}], "cna": {"title": "WordPress Meow Gallery plugin <= 5.4.4 - SQL Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "affected": [{"vendor": "Jordy Meow", "product": "Meow Gallery", "versions": [{"status": "affected", "changes": [{"at": "5.4.5", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 5.4.4"}], "packageName": "meow-gallery", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-13T12:41:19.684Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/meow-gallery/vulnerability/wordpress-meow-gallery-plugin-5-4-4-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jordy Meow Meow Gallery meow-gallery allows Blind SQL Injection.This issue affects Meow Gallery: from n/a through <= 5.4.4.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jordy Meow Meow Gallery meow-gallery allows Blind SQL Injection.<p>This issue affects Meow Gallery: from n/a through <= 5.4.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-13T11:42:15.769Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32418", "state": "PUBLISHED", "dateUpdated": "2026-03-13T18:15:07.795Z", "dateReserved": "2026-03-12T11:11:26.570Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-13T11:42:15.769Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jordy Meow Meow Gallery meow-gallery allows Blind SQL Injection.This issue affects Meow Gallery: from n/a through <= 5.4.4."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de Elementos Especiales utilizados en un Comando SQL ('Inyecci\u00f3n SQL') vulnerabilidad en Jordy Meow Meow Gallery meow-gallery permite Inyecci\u00f3n SQL Ciega. Este problema afecta a Meow Gallery: desde n/d hasta &lt;= 5.4.4."}], "id": "CVE-2026-32418", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:54:59.307", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/meow-gallery/vulnerability/wordpress-meow-gallery-plugin-5-4-4-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.4.4]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.4.5,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Meow Gallery", "source": "cna", "vendor": "Jordy Meow"}, "product": "meow_gallery", "vendor": "jordy_meow"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T15:46:34.223613+00:00", "value": {"mitigation_remediation": ["Upgrade Meow Gallery to version 5.4.5 or later to remove the vulnerability.", "If an upgrade is not immediately possible, deactivate the plugin or restrict its access so that unauthorised users cannot interact with it.", "Deploy a web application firewall or input validation rules to detect and block suspicious SQL injection payloads aimed at the plugin.", "Monitor database logs and WordPress admin activity for signs of unauthorized queries or abnormal behavior."], "summary": {"action": "Apply Patch", "impact": "SQL Injection (Blind)"}, "threat_synthesis": {"affected_systems": "All releases of the Jordy Meow Meow Gallery plugin up to and including version 5.4.4 are affected; no further version granularity is supplied.", "description_and_impact": "This vulnerability is an instance of improper neutralization of special elements used in an SQL command (CWE-89). The Meow Gallery plugin allows blind SQL injection through its input handling, as described in the vendor statement. No explicit description of data read/write or other functions is provided in the CVE data.", "risk_and_exploitability": "The CVSS v3.1 score of 7.6 indicates high severity, while the EPSS score of less than 1% suggests low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves sending crafted input to the plugin\u2019s HTTP endpoints; this inference is based on common web\u2011application injection patterns and is not directly confirmed in the source data. No public exploit code is known at the time of this analysis."}}}}, "created": "2026-03-16T09:33:53.904566+00:00", "updated": "2026-03-23T12:03:45.810920+00:00", "vendors": ["jordy_meow", "jordy_meow$PRODUCT$meow_gallery", "wordpress", "wordpress$PRODUCT$wordpress"]}