Lifecycle Timeline
2DescriptionNVD
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YayExtra yayextra allows SQL Injection.This issue affects YayExtra: from n/a through <= 1.5.5.
AnalysisAI
SQL injection vulnerability in YayCommerce YayExtra WordPress plugin up to version 1.5.5 allows unauthenticated remote attackers to execute arbitrary SQL commands against the underlying database. The flaw stems from improper sanitization of user-supplied input in SQL queries, enabling database enumeration, data exfiltration, or potential privilege escalation. No public exploit code or active exploitation has been confirmed at time of analysis, though the low EPSS score (0.05%) suggests minimal real-world attack activity despite the vulnerability's technical severity.
Technical ContextAI
This vulnerability is rooted in CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), a classically dangerous input validation flaw affecting database-driven applications. The YayExtra plugin, which operates within the WordPress ecosystem, fails to properly escape or parameterize user input before incorporating it into SQL queries. WordPress plugins run with direct database access within the wp-* namespace (common CPE pattern: cpe:2.3:a:yaycommerce:yayextra:*:*:*:*:*:wordpress:*:*), making SQL injection particularly impactful since WordPress databases often contain sensitive user data, authentication tokens, and administrative credentials. The vulnerability likely exists in query construction methods that concatenate user input directly into SQL statements rather than using prepared statements or WordPress's wpdb prepared query API.
Affected ProductsAI
YayCommerce YayExtra WordPress plugin is affected in all versions from an unspecified baseline through and including version 1.5.5. The plugin operates as a WordPress extension (CPE likely: cpe:2.3:a:yaycommerce:yayextra:*:*:*:*:*:wordpress:*:*) and is distributed through the official WordPress plugin repository. Detailed advisory information is available at Patchstack's vulnerability database entry: https://patchstack.com/database/Wordpress/Plugin/yayextra/vulnerability/wordpress-yayextra-plugin-1-5-5-sql-injection-vulnerability.
RemediationAI
Immediately update YayCommerce YayExtra to a patched version above 1.5.5; verify the exact fixed version on the plugin's official update repository or Patchstack advisory. If an immediate update is unavailable, disable the YayExtra plugin entirely until a patch is released, or restrict database user permissions at the database level to read-only access for non-administrative queries as a temporary mitigation. Administrators should review server logs and database query logs for evidence of SQL injection attempts or data exfiltration. For sites running version 1.5.5 or earlier, apply updates through the WordPress admin dashboard or via command line (wp plugin update yayextra), then verify the new version number in plugin settings. Reference the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/yayextra/vulnerability/wordpress-yayextra-plugin-1-5-5-sql-injection-vulnerability) for detailed patch information and timeline.
Share
External POC / Exploit Code
Leaving vuln.today