CVE-2026-3523

Name of the Vulnerable Software and Affected Versions Apocalypse Meow plugin for WordPress versions prior to 22.1.0

Description The software is susceptible to SQL injection through the type parameter. A flawed logical operator in the type validation check allows attacker-controlled single quotes to pass unescaped into SQL queries. This enables authenticated attackers with Administrator-level access or higher to append additional SQL queries, potentially extracting sensitive information from the database. The issue stems from an incorrect use of the '&&' (AND) operator instead of '||' (OR) in the validation process, causing the in array() validation to be bypassed. The stripslashes deep() function further contributes to the issue by removing wp magic quotes() protection.

Recommendations Update the Apocalypse Meow plugin to version 22.1.0 or later.