The vulnerability resides in the CodeSolz Bitcoin / AltCoin Payment Gateway for WooCommerce plugin where user input is not properly neutralized before being embedded in an SQL command. Exploitation allows an attacker to inject SQL fragments into the plugin’s database queries, enabling read, update, or delete operations on data stored in the WordPress database. This can lead to the exfiltration of sensitive information or the alteration of transaction records. The flaw is a classic blind SQL injection, meaning it relies on side‑channel responses rather than directly returning data in the HTTP response.

WordPress installations that have the CodeSolz Bitcoin / AltCoin Payment Gateway for WooCommerce plugin installed at a version of 1.7.6 or earlier. The plugin is commonly used in multivendor stores and shops to process cryptocurrency payments.

With a CVSS score of 9.3 the flaw is considered critical, reflecting the high impact and wide availability of the attack. The EPSS score of less than 1% indicates that, as of the current analysis, observed exploitation attempts are rare, but the vulnerability still poses a significant risk if an attacker can craft a suitable HTTP request to the plugin’s endpoints. The attack is likely to occur through a remote, unauthenticated or minimally authenticated HTTP request that targets the plugin’s publicly exposed payment processing logic. Because the flaw is listed outside the KEV catalogue, it does not appear in the CISA Known Exploited Vulnerabilities list, yet it remains necessary to remediate it promptly to prevent potential data breaches.