This vulnerability (CVE-2026-56036) is an unauthenticated SQL Injection (CWE-89) in the 워드프레스 결제 심플페이 plugin, affecting versions up to 5.5.6. The flaw allows attackers to inject malicious SQL commands without any authentication, which can compromise the confidentiality of the database and cause partial denial of service. The CVSS 3.1 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and scope change with high confidentiality impact and low availability impact. No vendor advisory or patch information is currently available.

Successful exploitation can lead to unauthorized disclosure of sensitive data due to SQL Injection. The vulnerability does not require authentication, increasing the risk of exploitation. The impact includes high confidentiality loss and some availability degradation. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider applying temporary mitigations such as disabling or restricting access to the affected plugin or implementing web application firewall (WAF) rules to detect and block SQL injection attempts targeting this plugin.