CVE-2026-12512 PUBLISHED

Quotes Llama < 3.1.6 - Unauthenticated SQL Injection via sc Parameter

Assigner: WPScan
Reserved: 17.06.2026 Published: 15.07.2026 Updated: 15.07.2026

The Quotes llama WordPress plugin before 3.1.6 does not properly sanitize and escape a user-supplied parameter before using it in a SQL query, allowing unauthenticated attackers to perform UNION-based SQL injection and read arbitrary data from the database, including password hashes.

Product Status

Vendor Unknown
Product Quotes llama
Versions Default: unaffected
  • affected from 0 to 3.1.6 (excl.)

Credits

  • Pablo González Pérez finder
  • Francisco José Ramírez Vicente and Iñigo Sánchez Enciso finder
  • WPScan coordinator

References

Problem Types

  • CWE-89 SQL Injection CWE