CVE-2026-32539
Published: 25 March 2026
Summary
CVE-2026-32539 is a critical-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-32539 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that enables Blind SQL Injection in the PublishPress Revisions (revisionary) WordPress plugin. This issue affects all versions from n/a through 3.7.23.
The vulnerability has a CVSS 3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L), indicating that unauthenticated attackers with network access can exploit it remotely with low complexity and no user interaction. Exploitation allows high-impact confidentiality violations, such as data exfiltration through blind SQL techniques, alongside low availability impact and a changed scope.
Patchstack's advisory (https://patchstack.com/database/Wordpress/Plugin/revisionary/vulnerability/wordpress-publishpress-revisions-plugin-3-7-23-sql-injection-vulnerability?_s_id=cve) documents the SQL injection vulnerability specifically in PublishPress Revisions plugin version 3.7.23 and provides details on affected installations for mitigation guidance.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15913
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PublishPress PublishPress Revisions revisionary allows Blind SQL Injection.This issue affects PublishPress Revisions: from n/a through <= 3.7.23.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated public-facing WordPress plugin directly enables remote exploitation for data access per T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely flaw remediation, directly mitigating CVE-2026-32539 by patching the SQL injection vulnerability in PublishPress Revisions versions <=3.7.23.
SI-10 mandates validation of information inputs, preventing blind SQL injection in the plugin by neutralizing special elements before use in SQL commands.
RA-5 employs vulnerability scanning to identify SQL injection flaws like CVE-2026-32539 in WordPress plugins, enabling proactive remediation.