Cargo Shipping Location for WooCommerce
CVE-2026-54815
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Unauthenticated network-reachable blind SQLi (AV:N/AC:L/PR:N/UI:N) against the WordPress DB normally enables both read and tampering, so C:H/I:H; scope stays Unchanged as impact is confined to the same DB authority.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cargo RD Cargo Shipping Location for WooCommerce allows Blind SQL Injection.
This issue affects Cargo Shipping Location for WooCommerce: from n/a through 5.6.
Articles & Coverage 1
AnalysisAI
Blind SQL injection in the Cargo RD 'Cargo Shipping Location for WooCommerce' WordPress plugin (versions up to and including 5.6) allows remote unauthenticated attackers to inject arbitrary SQL via unsanitized input passed to backend database queries. The flaw carries a CVSS 3.1 base score of 9.3 (Critical) due to its network-reachable, no-privilege, no-interaction profile and scope-changed confidentiality impact, and no public exploit identified at time of analysis.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target site must have the Cargo RD Cargo Shipping Location for WooCommerce plugin installed and activated at any version from initial release through 5.6, alongside WordPress with WooCommerce, since the vulnerable code path is plugin-specific. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L describes a highly favorable attacker profile: network-accessible, low complexity, no authentication, no user interaction, with a scope change indicating impact crosses the database trust boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker scans WordPress sites for the Cargo Shipping Location for WooCommerce plugin and sends crafted HTTP requests to the vulnerable plugin endpoint, supplying boolean- or time-based SQL payloads in parameters that are concatenated into a backend query. Using response timing or content differences, the attacker enumerates the wp_users table to extract administrator password hashes and the WooCommerce customer order tables to harvest PII, then attempts offline cracking of the hashes to escalate to full admin access. … |
| Remediation | No vendor-released patch identified at time of analysis - the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/cargo-shipping-location-for-woocommerce/vulnerability/wordpress-cargo-shipping-location-for-woocommerce-plugin-5-6-sql-injection-vulnerability) lists the issue against versions up to 5.6 without naming a fixed release, so administrators should monitor the plugin page for an update beyond 5.6 and apply it as soon as released. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all WordPress installations for Cargo Shipping Location plugin presence and affected versions (≤5.6); identify business-critical sites and data sensitivity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today