Apocalypse Meow plugin for WordPress allows attackers to steal sensitive data

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.9

Apocalypse Meow plugin for WordPress allows attackers to steal sensitive data

CVE-2026-3523

Summary

The Apocalypse Meow plugin for WordPress has a bug that allows attackers with administrator access to steal sensitive information from the database. This is due to a mistake in the plugin's code that lets attackers inject malicious SQL code. To protect your site, update the plugin to the latest version or uninstall it if it's not essential.

Original title

Original description

The Apocalypse Meow plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 22.1.0. This is due to a flawed logical operator in the type validation check on line 261 of ajax.php — the condition uses `&&` (AND) instead of `||` (OR), causing the `in_array()` validation to be short-circuited and never evaluated for any non-empty type value. Combined with `stripslashes_deep()` being called on line 101 which removes `wp_magic_quotes()` protection, attacker-controlled single quotes pass through unescaped into the SQL query on line 298. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

nvd CVSS3.1 4.9

Vulnerability type

CWE-89 SQL Injection

Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026