Skip to main content

Order Delivery Date for WooCommerce CVE-2026-42386

| EUVD-2026-36813 CRITICAL
SQL Injection (CWE-89)
2026-06-15 Patchstack GHSA-6xg5-89c9-843g
WordPress SQLi Order Delivery Date For Woocommerce
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
9.9 CRITICAL

Network-reachable, no auth and no interaction (AV:N/AC:L/PR:N/UI:N); SQLi typically allows some writes so I:L rather than I:N; scope changes because plugin SQLi reaches the shared WP/Woo database.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 22:03 vuln.today
CVE Published
Jun 15, 2026 - 20:18 cve.org
CRITICAL 9.3

DescriptionCVE.org

Unauthenticated SQL Injection in Order Delivery Date for WooCommerce <= 4.5.1 versions.

Articles & Coverage 1

News Critical SQL Injection in WordPress Order Delivery Date for WooCommerce Plugin - CVE-2026-42386 Jun 15, 2026

AnalysisAI

SQL injection in the Tyche Softwares 'Order Delivery Date for WooCommerce' WordPress plugin (versions up to and including 4.5.1) allows unauthenticated remote attackers to inject arbitrary SQL into backend queries. Per the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L) the flaw is network-reachable, requires no privileges or interaction, and results in a scope change with high confidentiality impact and partial availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WooCommerce site running vulnerable plugin
Delivery
Send crafted HTTP request to plugin endpoint
Exploit
Inject SQL via unsanitized parameter
Execution
Execute query against WordPress database
Persist
Exfiltrate wp_users hashes and wp_options secrets
Impact
Pivot to admin takeover or customer PII theft
Sign in to reveal

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of any WordPress site that has the Tyche Softwares 'Order Delivery Date for WooCommerce' plugin (versions ≤ 4.5.1) installed and active alongside WooCommerce. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mostly aligned toward high priority: CVSS 9.3 with AV:N/AC:L/PR:N/UI:N means a single crafted HTTP request from the internet is enough, and S:C/C:H reflects the ability to read data across the entire WordPress/WooCommerce database (customer PII, hashed credentials, order data, secrets in wp_options). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scanning the internet for WooCommerce stores identifies one running the vulnerable plugin and sends a single crafted HTTP request to a plugin endpoint (likely a checkout, delivery-slot lookup, or AJAX handler) with a malicious SQL payload in a date, ID, or slot parameter. The injected query reads from wp_users and wp_usermeta to dump administrator email addresses and hashed passwords, then queries wp_options for secret_keys, API tokens, and stored payment-gateway credentials. …
Remediation Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the data provided, so administrators should consult the Patchstack entry (https://patchstack.com/database/wordpress/plugin/order-delivery-date-for-woocommerce/vulnerability/wordpress-order-delivery-date-for-woocommerce-plugin-4-5-1-sql-injection-vulnerability) and the plugin's WordPress.org page to confirm and install the latest version above 4.5.1. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all WooCommerce sites running Order Delivery Date for WooCommerce plugin versions 4.5.1 and earlier; disable and remove the plugin immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-42386 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy