Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce different-shipping-and-billing-address-for-woocommerce allows SQL Injection.This issue affects Multiple Shipping And Billing Address For Woocommerce: from n/a through <= 1.3.
Published: 2025-03-15
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an SQL injection flaw caused by improper sanitization of user input in the Multiple Shipping And Billing Address For Woocommerce plugin. An attacker who can manipulate the data sent to the plugin can inject arbitrary SQL commands, potentially allowing them to read, modify, or delete data stored in the WordPress site’s database. This can compromise the confidentiality, integrity, and availability of the application, and may serve as a foothold for further exploitation.

Affected Systems

The flaw is present in the silverplugins217 Multiple Shipping And Billing Address For Woocommerce plugin for WordPress, versions from the initial release through 1.3. Administrators using any of these versions on a WordPress installation are susceptible, regardless of the WordPress core version or hosting environment.

Risk and Exploitability

The CVSS score of 9.3 classifies the issue as critical, and the EPSS score of less than 1% suggests a low but non‑zero probability of exploitation in the wild. The plugin is publicly available and can be called by anyone with access to the site, so an unauthenticated attacker could potentially trigger the injection by submitting crafted requests to the plugin’s endpoints. Because it is not listed in the CISA KEV catalog, there is no known active exploit in the last six months, but the severity warrants immediate attention.

Generated by OpenCVE AI on May 1, 2026 at 13:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Multiple Shipping And Billing Address For Woocommerce plugin to the latest available version that contains the fix.
  • If an update is not yet available, disable or uninstall the plugin until a patch is released.
  • Deploy a web application firewall or security plugin that blocks suspicious SQL patterns on WordPress endpoints.
  • Review database credentials and limit the privileges granted to the WordPress database user.

Generated by OpenCVE AI on May 1, 2026 at 13:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6645 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce allows SQL Injection. This issue affects Multiple Shipping And Billing Address For Woocommerce: from n/a through 1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce allows SQL Injection. This issue affects Multiple Shipping And Billing Address For Woocommerce: from n/a through 1.3. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce different-shipping-and-billing-address-for-woocommerce allows SQL Injection.This issue affects Multiple Shipping And Billing Address For Woocommerce: from n/a through <= 1.3.
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0005}

 epss

{'score': 0.00069}

Mon, 17 Mar 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 15 Mar 2025 22:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce allows SQL Injection. This issue affects Multiple Shipping And Billing Address For Woocommerce: from n/a through 1.3.
Title WordPress Multiple Shipping And Billing Address For Woocommerce Plugin <= 1.3 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:41.176Z

Reserved: 2025-02-17T11:49:35.313Z

Link: CVE-2025-26875

cve-icon Vulnrichment

Updated: 2025-03-17T16:11:54.521Z

cve-icon NVD

Status : Deferred

Published: 2025-03-15T22:15:13.690

Modified: 2026-04-23T15:25:58.867

Link: CVE-2025-26875

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:00:15Z

Weaknesses