{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3523", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-04T16:04:52.755Z", "datePublished": "2026-03-05T04:21:53.356Z", "dateUpdated": "2026-04-08T17:12:30.229Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:30.229Z"}, "affected": [{"vendor": "blobfolio", "product": "Apocalypse Meow", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "22.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Apocalypse Meow plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 22.1.0. This is due to a flawed logical operator in the type validation check on line 261 of ajax.php \u2014 the condition uses `&&` (AND) instead of `||` (OR), causing the `in_array()` validation to be short-circuited and never evaluated for any non-empty type value. Combined with `stripslashes_deep()` being called on line 101 which removes `wp_magic_quotes()` protection, attacker-controlled single quotes pass through unescaped into the SQL query on line 298. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "title": "Apocalypse Meow <= 22.1.0 - Authenticated (Administrator+) SQL Injection via 'type' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a1af9757-23e9-41d2-bbcd-15b0610b6538?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/apocalypse-meow/trunk/lib/blobfolio/wp/meow/ajax.php#L298"}, {"url": "https://plugins.trac.wordpress.org/browser/apocalypse-meow/tags/22.1.0/lib/blobfolio/wp/meow/ajax.php#L298"}, {"url": "https://plugins.trac.wordpress.org/browser/apocalypse-meow/trunk/lib/blobfolio/wp/meow/ajax.php#L261"}, {"url": "https://plugins.trac.wordpress.org/browser/apocalypse-meow/tags/22.1.0/lib/blobfolio/wp/meow/ajax.php#L261"}, {"url": "https://plugins.trac.wordpress.org/browser/apocalypse-meow/trunk/lib/blobfolio/wp/meow/ajax.php#L101"}, {"url": "https://plugins.trac.wordpress.org/browser/apocalypse-meow/tags/22.1.0/lib/blobfolio/wp/meow/ajax.php#L101"}, {"url": "https://plugins.trac.wordpress.org/browser/apocalypse-meow/trunk/lib/blobfolio/wp/meow/ajax.php#L167"}, {"url": "https://plugins.trac.wordpress.org/browser/apocalypse-meow/tags/22.1.0/lib/blobfolio/wp/meow/ajax.php#L167"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448958%40apocalypse-meow&new=3448958%40apocalypse-meow&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Louis Deschanel"}], "timeline": [{"time": "2026-03-04T16:06:27.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T15:29:10.813552Z", "id": "CVE-2026-3523", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T15:41:23.538Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3523", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-05T15:29:10.813552Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T15:29:11.839Z"}}], "cna": {"title": "Apocalypse Meow <= 22.1.0 - Authenticated (Administrator+) SQL Injection via 'type' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Louis Deschanel"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "blobfolio", "product": "Apocalypse Meow", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "22.1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-04T16:06:27.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a1af9757-23e9-41d2-bbcd-15b0610b6538?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/apocalypse-meow/trunk/lib/blobfolio/wp/meow/ajax.php#L298"}, {"url": "https://plugins.trac.wordpress.org/browser/apocalypse-meow/tags/22.1.0/lib/blobfolio/wp/meow/ajax.php#L298"}, {"url": "https://plugins.trac.wordpress.org/browser/apocalypse-meow/trunk/lib/blobfolio/wp/meow/ajax.php#L261"}, {"url": "https://plugins.trac.wordpress.org/browser/apocalypse-meow/tags/22.1.0/lib/blobfolio/wp/meow/ajax.php#L261"}, {"url": "https://plugins.trac.wordpress.org/browser/apocalypse-meow/trunk/lib/blobfolio/wp/meow/ajax.php#L101"}, {"url": "https://plugins.trac.wordpress.org/browser/apocalypse-meow/tags/22.1.0/lib/blobfolio/wp/meow/ajax.php#L101"}, {"url": "https://plugins.trac.wordpress.org/browser/apocalypse-meow/trunk/lib/blobfolio/wp/meow/ajax.php#L167"}, {"url": "https://plugins.trac.wordpress.org/browser/apocalypse-meow/tags/22.1.0/lib/blobfolio/wp/meow/ajax.php#L167"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448958%40apocalypse-meow&new=3448958%40apocalypse-meow&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Apocalypse Meow plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 22.1.0. This is due to a flawed logical operator in the type validation check on line 261 of ajax.php \u2014 the condition uses `&&` (AND) instead of `||` (OR), causing the `in_array()` validation to be short-circuited and never evaluated for any non-empty type value. Combined with `stripslashes_deep()` being called on line 101 which removes `wp_magic_quotes()` protection, attacker-controlled single quotes pass through unescaped into the SQL query on line 298. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-05T04:21:53.356Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3523", "state": "PUBLISHED", "dateUpdated": "2026-03-05T15:41:23.538Z", "dateReserved": "2026-03-04T16:04:52.755Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-05T04:21:53.356Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Apocalypse Meow plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 22.1.0. This is due to a flawed logical operator in the type validation check on line 261 of ajax.php \u2014 the condition uses `&&` (AND) instead of `||` (OR), causing the `in_array()` validation to be short-circuited and never evaluated for any non-empty type value. Combined with `stripslashes_deep()` being called on line 101 which removes `wp_magic_quotes()` protection, attacker-controlled single quotes pass through unescaped into the SQL query on line 298. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}, {"lang": "es", "value": "El plugin Apocalypse Meow para WordPress es vulnerable a inyecciones SQL a trav\u00e9s del par\u00e1metro \"type\" en todas las versiones hasta la 22.1.0, incluida esta. Esto se debe a un operador l\u00f3gico defectuoso en la comprobaci\u00f3n de validaci\u00f3n de tipo en la l\u00ednea 261 de ajax.php: la condici\u00f3n utiliza \"&amp;&amp;\" (AND) en lugar de \u00ab||\u00bb (OR), lo que provoca que la validaci\u00f3n \u00abin_array()\u00bb se acorte y nunca se eval\u00fae para ning\u00fan valor de tipo no vac\u00edo. En combinaci\u00f3n con la llamada a `stripslashes_deep()` en la l\u00ednea 101, que elimina la protecci\u00f3n `wp_magic_quotes()`, las comillas simples controladas por el atacante pasan sin escapar a la consulta SQL de la l\u00ednea 298. Esto permite a los atacantes autenticados, con acceso de nivel administrador o superior, a\u00f1adir consultas SQL adicionales a las consultas ya existentes, que pueden utilizarse para extraer informaci\u00f3n confidencial de la base de datos."}], "id": "CVE-2026-3523", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-05T05:16:37.717", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/apocalypse-meow/tags/22.1.0/lib/blobfolio/wp/meow/ajax.php#L101"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/apocalypse-meow/tags/22.1.0/lib/blobfolio/wp/meow/ajax.php#L167"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/apocalypse-meow/tags/22.1.0/lib/blobfolio/wp/meow/ajax.php#L261"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/apocalypse-meow/tags/22.1.0/lib/blobfolio/wp/meow/ajax.php#L298"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/apocalypse-meow/trunk/lib/blobfolio/wp/meow/ajax.php#L101"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/apocalypse-meow/trunk/lib/blobfolio/wp/meow/ajax.php#L167"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/apocalypse-meow/trunk/lib/blobfolio/wp/meow/ajax.php#L261"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/apocalypse-meow/trunk/lib/blobfolio/wp/meow/ajax.php#L298"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448958%40apocalypse-meow&new=3448958%40apocalypse-meow&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a1af9757-23e9-41d2-bbcd-15b0610b6538?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,22.1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Apocalypse Meow", "source": "cna", "vendor": "blobfolio"}, "product": "apocalypse_meow", "vendor": "blobfolio"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T16:48:19.803260+00:00", "value": {"mitigation_remediation": ["Upgrade the Apocalypse Meow plugin to a version newer than 22.1.0 to completely eliminate the SQL injection issue. ", "If an update cannot be performed immediately, revoke or reduce Administrator-level access for users that do not require it, and consider disabling the plugin if it is not essential. ", "As a temporary measure, manually edit the plugin source: replace the logical operator on line 261 in ajax.php with \u2018||\u2019 to restore proper validation, and remove or comment out the stripslashes_deep() call that strips protection slashes, ensuring that the \u2018type\u2019 parameter is never passed unsanitized into the SQL query."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection through the 'type' parameter"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Apocalypse Meow WordPress plugin distributed by blobfolio. All versions up to and including 22.1.0 are impacted; later releases are not known to contain this flaw.", "description_and_impact": "The Apocalypse Meow plugin for WordPress is vulnerable to SQL injection because a logical operator used in the type validation check is incorrect. The flawed \u2018&&\u2019 causes the in_array() validation to never run for non\u2011empty values, and a preceding call to stripslashes_deep() removes protective slashes. This allows an authenticated user who has Administrator-level access or higher to inject additional SQL statements into existing queries, potentially extracting sensitive data from the database.", "risk_and_exploitability": "The CVSS score is 4.9, indicating moderate severity, and the EPSS score is less than 1%, implying a low likelihood of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires an authenticated administrator account, so the attack surface is limited to sites where such credentials exist. Despite the low probability of remote exploitation, the potential impact on data confidentiality within a compromised site warrants attention."}}}}, "created": "2026-03-06T15:17:51.762252+00:00", "updated": "2026-04-15T17:00:07.051346+00:00", "vendors": ["blobfolio", "blobfolio$PRODUCT$apocalypse_meow", "wordpress", "wordpress$PRODUCT$wordpress"]}