Recurio Ultimate Subscription For Woocommerce
Monthly
SQL Injection in the Recurio - Ultimate Subscription for WooCommerce WordPress plugin (versions up to and including 1.1.3) exposes the full WordPress database to authenticated shop managers via an unsanitized 'data' parameter in the subscription engine. Attackers with shop manager-level credentials or higher can append arbitrary SQL clauses to existing queries, enabling extraction of sensitive records including customer PII, order history, and WordPress user data. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the high privilege requirement substantially limits the real-world attack surface.
SQL Injection in the Recurio - Ultimate Subscription for WooCommerce WordPress plugin (versions up to and including 1.1.3) exposes the full WordPress database to authenticated shop managers via an unsanitized 'data' parameter in the subscription engine. Attackers with shop manager-level credentials or higher can append arbitrary SQL clauses to existing queries, enabling extraction of sensitive records including customer PII, order history, and WordPress user data. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the high privilege requirement substantially limits the real-world attack surface.