Description
The Flat Shipping Rate by City for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the 'cities' parameter in all versions up to, and including, 1.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-01-14
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection allowing extraction of sensitive database information
Action: Patch Now
AI Analysis

Impact

The Flat Shipping Rate by City for WooCommerce plugin is vulnerable to a time‑based SQL injection via the 'cities' parameter. The flaw stems from insufficient input escaping and the absence of prepared statements. This weakness, identified as CWE‑89, permits an authenticated attacker with Shop Manager‑level access or higher to append malicious SQL to the existing query, potentially retrieving confidential data from the WordPress database.

Affected Systems

The affected product is the logiceverest Shipping Rates by City for WooCommerce plugin for WordPress. Versions 1.0.3 and any earlier releases are impacted. WordPress sites that have installed these releases and have users with Shop Manager or higher privileges are at risk.

Risk and Exploitability

The CVSS score of 4.9 denotes a medium severity, and the EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access; attackers must obtain or compromise a Shop Manager–level account or a higher‑privileged account. No publicly available exploits are documented, but the low EPSS does not rule out targeted attempts against WooCommerce installations.

Generated by OpenCVE AI on April 16, 2026 at 02:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to the latest available version or disable it if no update exists.
  • Restrict or remove Shop Manager‑level users or grant them only the minimal permissions required for their duties, and review the plugin’s administrative interfaces for unnecessary exposure.
  • Ensure WordPress database credentials have the least privilege necessary, and validate and sanitize all user input on the server side.

Generated by OpenCVE AI on April 16, 2026 at 02:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Logiceverest
Logiceverest flat Shipping Rate By City For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Logiceverest
Logiceverest flat Shipping Rate By City For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Wed, 14 Jan 2026 05:45:00 +0000

Type Values Removed Values Added
Description The Flat Shipping Rate by City for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the 'cities' parameter in all versions up to, and including, 1.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Shipping Rates by City for WooCommerce <= 1.0.3 - Authenticated (Shop Manager+) SQL Injection via 'cities' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Logiceverest Flat Shipping Rate By City For Woocommerce
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:50:48.852Z

Reserved: 2026-01-07T17:45:17.514Z

Link: CVE-2026-0678

cve-icon Vulnrichment

Updated: 2026-01-15T18:59:55.791Z

cve-icon NVD

Status : Deferred

Published: 2026-01-14T06:15:55.197

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0678

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T02:15:21Z

Weaknesses