CVE-2026-12582 PUBLISHED

Library Management System < 3.5.8 - Unauthenticated SQL Injection via book_id

Assigner: WPScan
Reserved: 18.06.2026 Published: 13.07.2026 Updated: 13.07.2026

The Library Management System WordPress plugin before 3.5.8 does not sanitize and escape a user-supplied parameter before using it in a SQL statement, allowing unauthenticated attackers to perform SQL injection and extract arbitrary data from the database, including user password hashes.

Product Status

Vendor Unknown
Product Library Management System
Versions Default: unaffected
  • affected from 3.5 to 3.5.8 (excl.)

Credits

  • João Ramos Maciel finder
  • WPScan coordinator

References

Problem Types

  • CWE-89 SQL Injection CWE