This vulnerability exists in the WordPress Distance Rate Shipping for WooCommerce plugin up to version 1.3.4 and results from improper neutralization of special characters in SQL statements. The flaw permits blind SQL injection. Based on the description, it is inferred that an attacker could send specially crafted input that is incorporated into database queries, potentially enabling unauthorized access to or alteration of database data. This would jeopardize the confidentiality and integrity of the e‑commerce platform.

The vulnerability affects installations of the Techspawn Distance Rate Shipping for WooCommerce plugin, specifically versions n/a through 1.3.4. Any WordPress site running WooCommerce with one of these plugin versions is susceptible, regardless of the hosting environment or network configuration.

The CVSS score of 8.5 indicates high severity, while the EPSS of < 1% suggests a low probability of exploitation in the current environment. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through web requests that submit shipping parameters, with the attacker crafting specially encoded values that are incorporated directly into database queries. Successful exploitation would require an attacker to have network access to the web application.