Skip to main content

Square for WooCommerce EUVDEUVD-2026-43422

| CVE-2026-57810 HIGH
SQL Injection (CWE-89)
2026-07-13 Patchstack
8.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
7.1 HIGH

Network-reachable low-complexity SQLi needing a low-privilege account (PR:L); blind data read gives C:H with minor I:L, and I see no cross-authorization scope change (S:U) or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:26 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 8.5

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saad Iqbal APIExperts Square for WooCommerce woosquare allows Blind SQL Injection.This issue affects APIExperts Square for WooCommerce: from n/a through <= 4.7.4.

AnalysisAI

Blind SQL injection in the APIExperts "Square for WooCommerce" (woosquare) WordPress plugin affects all versions up to and including 4.7.4, allowing an authenticated attacker to inject crafted SQL into a database query and infer or extract data via boolean/time-based blind techniques. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 8.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege WordPress account
Delivery
Send crafted request to woosquare endpoint
Exploit
Inject blind SQL payload into parameter
Execution
Infer data via boolean/time-based responses
Impact
Exfiltrate credentials and order data from database

Vulnerability AssessmentAI

Exploitation Exploitation requires a low-privileged authenticated session on the target WordPress site (CVSS PR:L), so the attacker must first hold or acquire valid credentials - commonly achievable where WooCommerce/WordPress self-service customer or subscriber registration is enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderately concerning but not top-tier emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a low-privilege account on a WooCommerce store running woosquare <= 4.7.4, then sends crafted HTTP requests to a vulnerable plugin endpoint with SQL metacharacters embedded in a parameter. Because the injection is blind, the attacker uses boolean or time-based conditions to iteratively extract sensitive data such as user credentials, order details, and secret keys from the WordPress database. …
Remediation No vendor-released patched version is identified in the provided data (the issue affects versions through <= 4.7.4), so the primary action is to update woosquare to the first release above 4.7.4 as soon as the vendor publishes it and to monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/woosquare/vulnerability/wordpress-apiexperts-square-for-woocommerce-plugin-4-7-4-sql-injection-vulnerability?_s_id=cve) for the fixed version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit current plugin version across all installations and restrict database query privileges for low-privileged user roles to minimum necessary permissions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43422 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy