Skip to main content

Recurio WooCommerce CVE-2026-12936

| EUVDEUVD-2026-42216 MEDIUM
SQL Injection (CWE-89)
2026-07-08 Wordfence GHSA-32p7-vhx7-9q3f
4.9
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
4.9 MEDIUM

PR:H confirmed by description (shop manager required); C:H reflects full DB read access; I:N/A:N as no write or disruption impact is described.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 12:47 vuln.today
CVE Published
Jul 08, 2026 - 11:30 nvd
MEDIUM 4.9

DescriptionCVE.org

The Recurio - Ultimate Subscription for WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 1.1.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with shop manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

AnalysisAI

SQL Injection in the Recurio - Ultimate Subscription for WooCommerce WordPress plugin (versions up to and including 1.1.3) exposes the full WordPress database to authenticated shop managers via an unsanitized 'data' parameter in the subscription engine. Attackers with shop manager-level credentials or higher can append arbitrary SQL clauses to existing queries, enabling extraction of sensitive records including customer PII, order history, and WordPress user data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or compromise shop manager credentials
Delivery
Authenticate to WordPress/WooCommerce admin
Exploit
Craft malicious 'data' parameter payload
Execution
Submit HTTP request to vulnerable subscription engine endpoint
Persist
Append attacker-controlled SQL to existing query
Impact
Extract sensitive records from WordPress database

Vulnerability AssessmentAI

Exploitation Exploitation requires an active WordPress session authenticated at WooCommerce shop manager privilege level or above - unauthenticated or subscriber-level users cannot trigger this flaw (confirmed by CVSS PR:H). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 4.9 (Medium) with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N accurately reflects the constrained risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has compromised or legitimately holds a WooCommerce shop manager account authenticates to the WordPress admin interface and submits a crafted HTTP request with a SQL payload embedded in the 'data' parameter to one of the vulnerable subscription engine endpoints (e.g., the handler at class-subscription-engine.php:1095 or :301). The unsanitized value is appended to the existing SQL query, allowing UNION-based or boolean-blind extraction of arbitrary database tables - including wp_users password hashes, WooCommerce order records, and stored payment metadata. …
Remediation A code fix has been committed to the WordPress plugin SVN repository as changeset 3593971 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3593971%40recurio&new=3593971%40recurio); however, the exact patched release version number is not independently confirmed by the available reference data - administrators should update the plugin to the latest available version through the WordPress dashboard and verify the installed version exceeds 1.1.3. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12936 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy