Skip to main content

Advanced Shipment Tracking CVE-2026-57773

| EUVDEUVD-2026-43393 HIGH
SQL Injection (CWE-89)
2026-07-13 Patchstack
7.6
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.6 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
4.9 MEDIUM

Requires an authenticated high-privilege WordPress account (PR:H) over the network with no user interaction; blind SQLi enables full DB read (C:H) but no confirmed write or availability impact, and I keep scope unchanged (S:U) as the injection stays within the app's own DB.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:35 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.6

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Zorem Advanced Shipment Tracking for WooCommerce woo-advanced-shipment-tracking allows Blind SQL Injection.This issue affects Advanced Shipment Tracking for WooCommerce: from n/a through <= 4.0.

AnalysisAI

Blind SQL injection in the Zorem "Advanced Shipment Tracking for WooCommerce" WordPress plugin (all versions through 4.0) lets an authenticated high-privileged user inject SQL into a backend query and extract database contents inference by inference. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was disclosed via Patchstack. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain high-privilege WooCommerce account
Delivery
Access vulnerable plugin endpoint
Exploit
Inject blind SQL payload
Execution
Infer results via boolean/timing oracle
Impact
Extract database records (PII, hashes)

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account with high privileges (CVSS PR:H - in practice an administrator or shop-manager role on the WooCommerce site), and access to the plugin functionality/endpoint that constructs the vulnerable SQL query in Advanced Shipment Tracking for WooCommerce version 4.0 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.6 (High) with vector AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who already holds a WordPress shop-manager or administrator account - or who has hijacked such a session via phishing or a compromised credential - submits crafted input to a plugin parameter that feeds an unsanitized SQL query. By observing conditional true/false or timing differences in the plugin's responses, they iteratively extract customer PII, order data, and password hashes from the WooCommerce database. …
Remediation No vendor-released patched version is identified in the provided data - the advisory only records the vulnerable range as "through <= 4.0" without naming a fixed release - so consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/woo-advanced-shipment-tracking/vulnerability/wordpress-advanced-shipment-tracking-for-woocommerce-plugin-4-0-sql-injection-vulnerability) and the plugin's WordPress.org changelog for a version newer than 4.0 and update to it once released. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit all active WordPress administrator and shop-manager accounts, restrict admin access to essential trusted personnel only, and enforce strong credential requirements. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57773 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy