Improper Neutralization of Special Elements used in an SQL Command in the Cart tracking for WooCommerce plugin allows SQL Injection. This flaw, identified as CWE-89, lets an attacker construct arbitrary SQL statements that are incorporated into database queries by the plugin. The vulnerability could permit read, modify, or delete actions on the WordPress database if the attacker can successfully inject statements. The description does not confirm that authentication is required, so it is inferred that the vulnerable functionality may be accessed without credentials.

The vulnerability affects the WordPress Cart tracking for WooCommerce plugin by vendor wpdever. All installations running any released version of the plugin up to and including 1.0.17 are susceptible. The plugin is typically deployed within WordPress e‑commerce sites that use WooCommerce, and the weakness resides in the cart tracking functionality that processes user input from the web interface.

The CVSS base score of 7.6 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild at present. The vulnerability is not included in the CISA KEV catalog. The description does not specify any authentication requirement, so it is assumed that a remote user could exploit the injection by sending crafted requests to the plugin’s publicly accessible endpoints. If successful, the attacker could execute arbitrary SQL commands against the site’s database, potentially exposing sensitive data or modifying site content. The impact could affect confidentiality, integrity, and availability depending on the nature of the injected queries.