Skip to main content

WCMultiShipping EUVDEUVD-2026-36905

| CVE-2026-52700 HIGH
SQL Injection (CWE-89)
2026-06-15 Patchstack GHSA-rg72-qvpg-fcv6
8.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
8.5 HIGH

Remote authenticated Subscriber (PR:L) reaches injectable query (AC:L); SQLi typically permits limited writes so I:L rather than I:N; scope change to DB tables outside plugin boundary justifies S:C.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:24 vuln.today

DescriptionCVE.org

Subscriber SQL Injection in WCMultiShipping <= 3.0.2 versions.

AnalysisAI

SQL injection in the WCMultiShipping WordPress plugin (Mondial Relay & Chronopost for WooCommerce) versions 3.0.2 and earlier allows authenticated users holding only the low-privilege Subscriber role to inject arbitrary SQL into backend queries. The scope-changed CVSS 8.5 reflects high confidentiality impact across security boundaries, and no public exploit identified at time of analysis. Disclosure originates from Patchstack's WordPress vulnerability database.

Technical ContextAI

WCMultiShipping is a WooCommerce shipping integration plugin (CPE: wcmultishipping_-_mondial_relay_&_chronopost_for_wooommerce:wcmultishipping) that connects WordPress stores to Mondial Relay and Chronopost carriers in France. The flaw is a CWE-89 Improper Neutralization of Special Elements used in an SQL Command, meaning user-controlled input reaches a database query without parameterization or proper escaping. Because Subscriber is the lowest authenticated role in WordPress (typically auto-assigned on open registration), the vulnerable code path is reachable from any registered visitor, not just shop managers or admins.

RemediationAI

No vendor-released patch identified at time of analysis from the supplied data; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wc-multishipping/vulnerability/wordpress-wcmultishipping-plugin-3-0-2-sql-injection-vulnerability) for the fixed version (expected to be greater than 3.0.2) and upgrade as soon as it is published. Until a fix is applied, compensating controls include disabling open WordPress user registration via Settings → General (this breaks customer self-checkout flows that require accounts), deactivating the WCMultiShipping plugin if the Mondial Relay/Chronopost integration is non-essential, or placing a WAF rule (Patchstack, Wordfence, etc.) in front of the vulnerable endpoint to filter SQL metacharacters in plugin parameters - note WAF rules can be bypassed and may false-positive on legitimate carrier-tracking values containing apostrophes.

Share

EUVD-2026-36905 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy