CVE-2026-3523: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in blobfolio Apocalypse Meow
The Apocalypse Meow plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 22.1.0. This is due to a flawed logical operator in the type validation check on line 261 of ajax.php — the condition uses `&&` (AND) instead of `||` (OR), causing the `in_array()` validation to be short-circuited and never evaluated for any non-empty type value. Combined with `stripslashes_deep()` being called on line 101 which removes `wp_magic_quotes()` protection, attacker-controlled single quotes pass through unescaped into the SQL query on line 298. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AI Analysis
Technical Summary
CVE-2026-3523 describes an SQL Injection vulnerability in the Apocalypse Meow WordPress plugin affecting all versions up to 22.1.0. The root cause is a logical error in the validation of the 'type' parameter in ajax.php, where an AND operator is incorrectly used instead of OR, causing the in_array() check to be bypassed for any non-empty input. Additionally, the use of stripslashes_deep() removes wp_magic_quotes() protections, allowing attacker-controlled single quotes to be passed unescaped into an SQL query. This enables authenticated administrators to append malicious SQL commands to existing queries, potentially exposing sensitive database information.
Potential Impact
The vulnerability allows authenticated users with Administrator-level access or higher to perform SQL Injection attacks via the 'type' parameter. This can lead to unauthorized disclosure of sensitive information from the database. The CVSS score of 4.9 reflects a medium severity impact with high confidentiality impact but no impact on integrity or availability. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Administrator-level access to trusted users only and monitor for suspicious activity related to the 'type' parameter in the Apocalypse Meow plugin. Avoid using the plugin in environments where untrusted administrators exist.
CVE-2026-3523: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in blobfolio Apocalypse Meow
Description
The Apocalypse Meow plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 22.1.0. This is due to a flawed logical operator in the type validation check on line 261 of ajax.php — the condition uses `&&` (AND) instead of `||` (OR), causing the `in_array()` validation to be short-circuited and never evaluated for any non-empty type value. Combined with `stripslashes_deep()` being called on line 101 which removes `wp_magic_quotes()` protection, attacker-controlled single quotes pass through unescaped into the SQL query on line 298. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-3523 describes an SQL Injection vulnerability in the Apocalypse Meow WordPress plugin affecting all versions up to 22.1.0. The root cause is a logical error in the validation of the 'type' parameter in ajax.php, where an AND operator is incorrectly used instead of OR, causing the in_array() check to be bypassed for any non-empty input. Additionally, the use of stripslashes_deep() removes wp_magic_quotes() protections, allowing attacker-controlled single quotes to be passed unescaped into an SQL query. This enables authenticated administrators to append malicious SQL commands to existing queries, potentially exposing sensitive database information.
Potential Impact
The vulnerability allows authenticated users with Administrator-level access or higher to perform SQL Injection attacks via the 'type' parameter. This can lead to unauthorized disclosure of sensitive information from the database. The CVSS score of 4.9 reflects a medium severity impact with high confidentiality impact but no impact on integrity or availability. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Administrator-level access to trusted users only and monitor for suspicious activity related to the 'type' parameter in the Apocalypse Meow plugin. Avoid using the plugin in environments where untrusted administrators exist.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-04T16:04:52.755Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69a90b11d1a09e29cbdaab81
Added to database: 3/5/2026, 4:48:17 AM
Last enriched: 4/9/2026, 11:35:07 AM
Last updated: 4/19/2026, 7:23:57 AM
Views: 62
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.