Description
Subscriber SQL Injection in WooCommerce Frontend Manager – Ultimate < 6.7.7 versions.
Published: 2026-06-17
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a subscriber SQL injection that exists in WooCommerce Frontend Manager – Ultimate plugin versions earlier than 6.7.7. It can enable an attacker who can submit crafted input through the web interface to execute arbitrary SQL statements against the database, potentially exposing or tampering with sensitive data. The identified weakness is CWE‑89 and the impact is confidentiality, integrity, and availability compromise.

Affected Systems

The affected product is WooCommerce Frontend Manager – Ultimate from WC Lovers. Versions lower than 6.7.7 are impacted.

Risk and Exploitability

The CVSS score of 8.5 classifies the issue as high severity. No EPSS score is available, and the vulnerability is not listed in CISA KEV. Attackers can exploit the flaw by sending malicious payloads through the plugin’s web interface; therefore the likely attack vector is web-based

Generated by OpenCVE AI on June 18, 2026 at 14:11 UTC.

Remediation

Vendor Solution

Update the WordPress WooCommerce Frontend Manager – Ultimate plugin to the latest available version (at least 6.7.7).


OpenCVE Recommended Actions

  • Update WooCommerce Frontend Manager – Ultimate to version 6.7.7 or later.
  • If an upgrade cannot be performed immediately, uninstall or disable the plugin from all sites until a patch is available.
  • Implement a web application firewall rule to block typical SQL injection payloads against the WooCommerce endpoints.

Generated by OpenCVE AI on June 18, 2026 at 14:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wc Lovers.
Wc Lovers. woocommerce Frontend Manager – Ultimate
Wordpress
Wordpress wordpress
Vendors & Products Wc Lovers.
Wc Lovers. woocommerce Frontend Manager – Ultimate
Wordpress
Wordpress wordpress

Fri, 19 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Subscriber SQL Injection in WooCommerce Frontend Manager – Ultimate < 6.7.7 versions.
Title WordPress WooCommerce Frontend Manager – Ultimate plugin < 6.7.7 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Wc Lovers. Woocommerce Frontend Manager – Ultimate
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:27:49.840Z

Reserved: 2026-01-07T12:21:11.735Z

Link: CVE-2026-22335

cve-icon Vulnrichment

Updated: 2026-06-17T14:27:44.276Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:36Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')