Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
PR:H confirmed by description (shop manager required); C:H reflects full DB read access; I:N/A:N as no write or disruption impact is described.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Recurio - Ultimate Subscription for WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 1.1.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with shop manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AnalysisAI
SQL Injection in the Recurio - Ultimate Subscription for WooCommerce WordPress plugin (versions up to and including 1.1.3) exposes the full WordPress database to authenticated shop managers via an unsanitized 'data' parameter in the subscription engine. Attackers with shop manager-level credentials or higher can append arbitrary SQL clauses to existing queries, enabling extraction of sensitive records including customer PII, order history, and WordPress user data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an active WordPress session authenticated at WooCommerce shop manager privilege level or above - unauthenticated or subscriber-level users cannot trigger this flaw (confirmed by CVSS PR:H). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 4.9 (Medium) with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N accurately reflects the constrained risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has compromised or legitimately holds a WooCommerce shop manager account authenticates to the WordPress admin interface and submits a crafted HTTP request with a SQL payload embedded in the 'data' parameter to one of the vulnerable subscription engine endpoints (e.g., the handler at class-subscription-engine.php:1095 or :301). The unsanitized value is appended to the existing SQL query, allowing UNION-based or boolean-blind extraction of arbitrary database tables - including wp_users password hashes, WooCommerce order records, and stored payment metadata. … |
| Remediation | A code fix has been committed to the WordPress plugin SVN repository as changeset 3593971 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3593971%40recurio&new=3593971%40recurio); however, the exact patched release version number is not independently confirmed by the available reference data - administrators should update the plugin to the latest available version through the WordPress dashboard and verify the installed version exceeds 1.1.3. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42216
GHSA-32p7-vhx7-9q3f