SQL Injection Vulnerability in Tainacan Plugin by WordPress
CVE-2026-42740

9.3CRITICAL

Key Information:

Vendor: WordPress
Status: Tainacan
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-42740?

The Tainacan plugin for WordPress is susceptible to a Blind SQL Injection vulnerability due to improper neutralization of special elements within SQL commands. This flaw enables attackers to manipulate database queries, potentially exposing sensitive information without authorization. It affects versions from n/a to 1.0.3, emphasizing the need for users to upgrade and secure their installations immediately.

Affected Version(s)

Tainacan 0 <= 1.0.3

References

https://patchstack.com/database/Wordpress/Plugin/tainacan...

vdb-entry

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

hhhai | Patchstack Bug Bounty Program

CVE-2026-42740 Data

JSON