An SQL injection flaw in Fahad Mahmood's Order Splitter for WooCommerce plugin allows an attacker to construct malicious input that is improperly escaped before being embedded into an SQL statement. The vulnerability maps to CWE-89 and can lead to unauthorized data disclosure, modification, or deletion of the database contents.

The flaw afflicts WordPress sites running the Order Splitter for WooCommerce plugin version 5.3.0 or earlier. The affected product, supplied by Fahad Mahmood, does not provide a specific sub-version list beyond the upper bound of 5.3.0, so any installation at or below that release level is vulnerable.

The CVSS score of 8.5 classifies this as a high severity vulnerability, though the EPSS score of less than 1% indicates the probability of exploitation is currently low. The flaw is not listed in the CISA KEV catalog. Because the plugin is a publicly accessible WordPress add‑on, the likely attack vector is inferred to be a crafted HTTP request to a page that processes Order Splitter inputs, potentially without requiring administrative authentication. An attacker could inject arbitrary SQL commands and alter, delete, or exfiltrate database content, thereby compromising confidentiality, integrity, and availability of the site.