What the vulnerability does
01Description
KittyCatfish 2.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to read database contents by exploiting an unescaped GET parameter. Attackers can inject SQL code through the 'kc_ad' parameter in base.css.php or kittycatfish.php to extract sensitive database information using boolean-based blind or time-based blind techniques.
Explanation of Vulnerability in Simple Terms
02Summary
KittyCatfish versions 2.2 contain a SQL injection vulnerability in an unspecified component. An attacker on the network can craft malicious input to execute arbitrary SQL queries against the database without authentication. This allows reading or modifying sensitive data stored in the application database.
What an attacker can do
03Attacker Capabilities
Execute arbitrary SQL queries to read or modify database contents without authentication.
Potential impact on your site
04Site Impact
Attackers can access or alter sensitive data in your KittyCatfish database without logging in.
Conditions required to exploit
05Prerequisites
Network access to the application; no authentication or user interaction required.
Key dates
06Disclosure timeline
June 9, 2026
CVE published
June 9, 2026
Record updated