CVE-2017-20246

HIGH 8.2

KittyCatfish 2.2 Plugin for WordPress SQL Injection

CVSS Score

8.2

EPSS Score

0.0%

EPSS Percentile

0th

KittyCatfish 2.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to read database contents by exploiting an unescaped GET parameter. Attackers can inject SQL code through the 'kc_ad' parameter in base.css.php or kittycatfish.php to extract sensitive database information using boolean-based blind or time-based blind techniques.

CWE	CWE-89
Vendor	missilesilo
Product	kittycatfish
Published	Jun 9, 2026
Last Updated	Jun 9, 2026

Stay Ahead of the Next One

Get instant alerts for missilesilo kittycatfish

Be the first to know when new high vulnerabilities affecting missilesilo kittycatfish are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Affected Versions

Missilesilo / KittyCatfish

2.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/41919 wordpress.org: https://wordpress.org/plugins-wp/kittycatfish/ tad.group: https://tad.group vulncheck.com: https://www.vulncheck.com/advisories/kittycatfish-plugin-for-wordpress-sql-injection

Credits

TAD GROUP