Skip to main content

Cargo Shipping Location for WooCommerce CVE-2026-54815

CRITICAL
SQL Injection (CWE-89)
2026-06-17 Patchstack
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
9.1 CRITICAL

Unauthenticated network-reachable blind SQLi (AV:N/AC:L/PR:N/UI:N) against the WordPress DB normally enables both read and tampering, so C:H/I:H; scope stays Unchanged as impact is confined to the same DB authority.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 17, 2026 - 14:24 vuln.today
CVE Published
Jun 17, 2026 - 13:40 cve.org
CRITICAL 9.3

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cargo RD Cargo Shipping Location for WooCommerce allows Blind SQL Injection.

This issue affects Cargo Shipping Location for WooCommerce: from n/a through 5.6.

AnalysisAI

Blind SQL injection in the Cargo RD 'Cargo Shipping Location for WooCommerce' WordPress plugin (versions up to and including 5.6) allows remote unauthenticated attackers to inject arbitrary SQL via unsanitized input passed to backend database queries. The flaw carries a CVSS 3.1 base score of 9.3 (Critical) due to its network-reachable, no-privilege, no-interaction profile and scope-changed confidentiality impact, and no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Cargo Shipping Location plugin
Delivery
Locate vulnerable plugin endpoint and parameter
Exploit
Send crafted blind SQL injection payload
Execution
Infer database contents via boolean/time side channels
Persist
Extract wp_users hashes and WooCommerce PII
Impact
Crack admin hash offline for full site takeover

Vulnerability AssessmentAI

Exploitation The target site must have the Cargo RD Cargo Shipping Location for WooCommerce plugin installed and activated at any version from initial release through 5.6, alongside WordPress with WooCommerce, since the vulnerable code path is plugin-specific. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L describes a highly favorable attacker profile: network-accessible, low complexity, no authentication, no user interaction, with a scope change indicating impact crosses the database trust boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker scans WordPress sites for the Cargo Shipping Location for WooCommerce plugin and sends crafted HTTP requests to the vulnerable plugin endpoint, supplying boolean- or time-based SQL payloads in parameters that are concatenated into a backend query. Using response timing or content differences, the attacker enumerates the wp_users table to extract administrator password hashes and the WooCommerce customer order tables to harvest PII, then attempts offline cracking of the hashes to escalate to full admin access. …
Remediation No vendor-released patch identified at time of analysis - the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/cargo-shipping-location-for-woocommerce/vulnerability/wordpress-cargo-shipping-location-for-woocommerce-plugin-5-6-sql-injection-vulnerability) lists the issue against versions up to 5.6 without naming a fixed release, so administrators should monitor the plugin page for an update beyond 5.6 and apply it as soon as released. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all WordPress installations for Cargo Shipping Location plugin presence and affected versions (≤5.6); identify business-critical sites and data sensitivity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54815 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy