Is Upsellwp affected by CVE-2026-32459?

A high-severity SQL injection vulnerability in UpsellWP checkout plugin (versions ≤2.2.4) could allow attackers to extract sensitive customer and transaction data from WordPress e-commerce sites.

CVE-2026-32459

Q: How to fix CVE-2026-32459?

Within 24 hours: Inventory all WordPress instances running UpsellWP and confirm installed versions; disable the UpsellWP plugin if version ≤2.2.4 is detected. Within 7 days: Evaluate alternative checkout upsell solutions; conduct database access logs review for suspicious SQL queries; implement Web Application Firewall rules to block SQL injection patterns. Within 30 days: Migrate to patched version (when released) or approved alternative plugin; perform security assessment of affected systems; notify legal/compliance if customer data exposure is confirmed.

EUVD-2026-12017 HIGH

2026-03-13 Patchstack

8.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 13, 2026 - 16:57 vuln.today

EUVD ID Assigned

Mar 13, 2026 - 16:57 euvd

EUVD-2026-12017

CVE Published

Mar 13, 2026 - 11:42 nvd

HIGH 8.5

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in flycart UpsellWP checkout-upsell-and-order-bumps allows Blind SQL Injection.This issue affects UpsellWP: from n/a through <= 2.2.4.

Analysis

Blind SQL injection in UpsellWP checkout plugin versions 2.2.4 and earlier allows authenticated attackers to execute arbitrary SQL queries with network access and without user interaction. The vulnerability affects the checkout-upsell-and-order-bumps functionality and could enable data exfiltration or database manipulation. …

Remediation

Within 24 hours: Inventory all WordPress instances running UpsellWP and confirm installed versions; disable the UpsellWP plugin if version ≤2.2.4 is detected. Within 7 days: Evaluate alternative checkout upsell solutions; conduct database access logs review for suspicious SQL queries; implement Web Application Firewall rules to block SQL injection patterns. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +42

POC: 0

CVE-2026-32459 vulnerability details – vuln.today

Back

CVE-2026-32459

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-32459

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code