CVE-2026-3523

Description

The Apocalypse Meow plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 22.1.0. This is due to a flawed logical operator in the type validation check on line 261 of ajax.php — the condition uses `&&` (AND) instead of `||` (OR), causing the `in_array()` validation to be short-circuited and never evaluated for any non-empty type value. Combined with `stripslashes_deep()` being called on line 101 which removes `wp_magic_quotes()` protection, attacker-controlled single quotes pass through unescaped into the SQL query on line 298. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/a1af9757-23e9-41d2-bbcd-15b0610b6538?source=cve

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448958%40apocalypse-meow&new=3448958%40apocalypse-meow&sfp_email=&sfph_mail=

https://plugins.trac.wordpress.org/browser/apocalypse-meow/trunk/lib/blobfolio/wp/meow/ajax.php#L298

https://plugins.trac.wordpress.org/browser/apocalypse-meow/trunk/lib/blobfolio/wp/meow/ajax.php#L261

https://plugins.trac.wordpress.org/browser/apocalypse-meow/trunk/lib/blobfolio/wp/meow/ajax.php#L167

https://plugins.trac.wordpress.org/browser/apocalypse-meow/trunk/lib/blobfolio/wp/meow/ajax.php#L101

https://plugins.trac.wordpress.org/browser/apocalypse-meow/tags/22.1.0/lib/blobfolio/wp/meow/ajax.php#L298

https://plugins.trac.wordpress.org/browser/apocalypse-meow/tags/22.1.0/lib/blobfolio/wp/meow/ajax.php#L261

https://plugins.trac.wordpress.org/browser/apocalypse-meow/tags/22.1.0/lib/blobfolio/wp/meow/ajax.php#L167

https://plugins.trac.wordpress.org/browser/apocalypse-meow/tags/22.1.0/lib/blobfolio/wp/meow/ajax.php#L101

Details

Source: Mitre, NVD

Risk Information

CVSS v2

CVSS v3

EPSS