Vulnerabilities and security researches forapocalypse-meow apocalypse-meow

Jun 07, 2024

CVE, Research URL: ea137189393013171203257e06e9bf5fc15e587e
Home page URL: Security reports for Apocalypse Meow
Application: Apocalypse Meow
Date: Dec 04, 2017
Research Description: Apocalypse Meow [apocalypse-meow] < 21.2.8 WordPress Apocalypse Meow plugin <=21.2.7 - BCrypt Authentication Bypass vulnerability BCrypt Authentication Bypass vulnerability found by Steve (Sc00bzT) in WordPress Apocalypse Meow plugin (versions <=21.2.7).
Affected versions: Min 21.1.3, max 21.2.8.
Status: vulnerable

Apr 16, 2026

CVE, Research URL: CVE-2026-3523
Home page URL: Security reports for Apocalypse Meow
Application: Apocalypse Meow
Date: Mar 05, 2026
Research Description: The Apocalypse Meow plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 22.1.0. This is due to a flawed logical operator in the type validation check on line 261 of ajax.php — the condition uses `&&` (AND) instead of `||` (OR), causing the `in_array()` validation to be short-circuited and never evaluated for any non-empty type value. Combined with `stripslashes_deep()` being called on line 101 which removes `wp_magic_quotes()` protection, attacker-controlled single quotes pass through unescaped into the SQL query on line 298. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions: max 23.0.0.
Status: vulnerable