Summary
CVE-2026-12512 is a high-severity, unauthenticated UNION-based SQL injection vulnerability affecting the Quotes llama WordPress plugin in all versions before 3.1.6. The flaw stems from insufficient sanitization of a user-supplied parameter (sc) processed by publicly accessible AJAX handlers, allowing any unauthenticated remote attacker to read arbitrary data from the underlying WordPress database. With a CVSS v3.1 score of 8.6 (High), successful exploitation can expose password hashes and other sensitive database contents, enabling potential account takeover and full site compromise.
Technical details
- Root cause: The plugin fails to properly sanitize and escape the
scparameter before incorporating it into a SQL query, violating CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). - Trigger conditions: The vulnerable
scparameter is accepted by two unauthenticated AJAX handlers —select_searchandselect_search_page— which are publicly reachable without any login or authentication context. - Attack vector: Remote, unauthenticated network access over HTTP/HTTPS; no credentials or user interaction required. Attack complexity is low.
- Injection technique: UNION-based SQL injection, enabling an attacker to append arbitrary SQL clauses and retrieve the full contents of the WordPress database, including the
wp_userstable. - Impact: Complete read access to database contents, including WordPress user password hashes. Extracted hashes can be subjected to offline brute-force or dictionary attacks, potentially leading to administrative account takeover and full WordPress site compromise. The CVSS Scope is set to Changed, reflecting that the impact crosses the security boundary of the plugin itself into the broader WordPress database context.
Affected software
- Quotes llama WordPress Plugin — all versions before 3.1.6
Severity
- CVSS v3.1 Base Score: 8.6 (High)
- Vector string:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Mitigation and recommended actions
- Immediate: Update the Quotes llama plugin to version 3.1.6 or later (version 3.1.7 is the current release as of July 2026) via the WordPress Dashboard → Plugins → Update. This version contains the fix that properly sanitizes and escapes the vulnerable
scparameter before SQL query execution. - If immediate patching is not possible: Restrict public access to WordPress AJAX endpoints (
wp-admin/admin-ajax.php) at the web server or WAF layer to limit exposure while scheduling the update.
IONIX Status
The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

