Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
WordPress Attendance Manager plugin leaks sensitive data due to SQL attack
CVE-2026-3781
Summary
The Attendance Manager plugin for WordPress, used in all versions up to 0.6.2, allows an attacker with a Subscriber account or higher to access sensitive information from the database. This is a serious issue because it lets the attacker see confidential data. To fix this, update the plugin to a version later than 0.6.2.
Original title
The Attendance Manager plugin for WordPress is vulnerable to SQL Injection via the 'attmgr_off' parameter in all versions up to, and including, 0.6.2. This is due to insufficient escaping on the us...
Original description
The Attendance Manager plugin for WordPress is vulnerable to SQL Injection via the 'attmgr_off' parameter in all versions up to, and including, 0.6.2. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
nvd CVSS3.1
5.4
Vulnerability type
CWE-89
SQL Injection
Published: 8 Apr 2026 · Updated: 9 Apr 2026 · First seen: 8 Apr 2026