Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Remote authenticated Subscriber (PR:L) reaches injectable query (AC:L); SQLi typically permits limited writes so I:L rather than I:N; scope change to DB tables outside plugin boundary justifies S:C.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Subscriber SQL Injection in WCMultiShipping <= 3.0.2 versions.
AnalysisAI
SQL injection in the WCMultiShipping WordPress plugin (Mondial Relay & Chronopost for WooCommerce) versions 3.0.2 and earlier allows authenticated users holding only the low-privilege Subscriber role to inject arbitrary SQL into backend queries. The scope-changed CVSS 8.5 reflects high confidentiality impact across security boundaries, and no public exploit identified at time of analysis. Disclosure originates from Patchstack's WordPress vulnerability database.
Technical ContextAI
WCMultiShipping is a WooCommerce shipping integration plugin (CPE: wcmultishipping_-_mondial_relay_&_chronopost_for_wooommerce:wcmultishipping) that connects WordPress stores to Mondial Relay and Chronopost carriers in France. The flaw is a CWE-89 Improper Neutralization of Special Elements used in an SQL Command, meaning user-controlled input reaches a database query without parameterization or proper escaping. Because Subscriber is the lowest authenticated role in WordPress (typically auto-assigned on open registration), the vulnerable code path is reachable from any registered visitor, not just shop managers or admins.
RemediationAI
No vendor-released patch identified at time of analysis from the supplied data; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wc-multishipping/vulnerability/wordpress-wcmultishipping-plugin-3-0-2-sql-injection-vulnerability) for the fixed version (expected to be greater than 3.0.2) and upgrade as soon as it is published. Until a fix is applied, compensating controls include disabling open WordPress user registration via Settings → General (this breaks customer self-checkout flows that require accounts), deactivating the WCMultiShipping plugin if the Mondial Relay/Chronopost integration is non-essential, or placing a WAF rule (Patchstack, Wordfence, etc.) in front of the vulnerable endpoint to filter SQL metacharacters in plugin parameters - note WAF rules can be bypassed and may false-positive on legitimate carrier-tracking values containing apostrophes.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36905
GHSA-rg72-qvpg-fcv6