Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics allows Blind SQL Injection.This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through <= 4.1.3.
Published: 2026-03-25
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection – blind execution leading to data exposure or manipulation
Action: Patch
AI Analysis

Impact

The vulnerability is a blind SQL injection flaw caused by improper sanitization of user input in WPFactory's Advanced WooCommerce Product Sales Reporting plugin. An attacker can send crafted queries that are executed on the underlying database, potentially allowing confidential data to be read, modified, or deleted. The weakness is a classic Injection flaw as defined by CWE-89.

Affected Systems

The affected product is the WordPress plugin Advanced WooCommerce Product Sales Reporting developed by WPFactory. Versions from the initial release through 4.1.3 (inclusive) are vulnerable. Users running any of these releases should consider upgrading.

Risk and Exploitability

The CVSS score of 9.3 classifies the issue as critical, indicating high severity. The EPSS score is less than 1 %, suggesting low likelihood of exploitation in the wild, and it is not listed in the CISA KEV catalog. Attackers would need to interact with the plugin’s input fields, likely via the WordPress administration interface or possibly exposed front‑end endpoints, and rely on a blind injection technique where they infer database information through timing or boolean responses.

Generated by OpenCVE AI on March 26, 2026 at 20:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Advanced WooCommerce Product Sales Reporting plugin to version 4.1.4 or newer.
  • Verify that the new version contains the applied fix and test functionality.
  • If an update is not immediately available, temporarily restrict access to the plugin’s administrative pages and consider applying a web application firewall rule to block SQL injection payloads.
  • Perform a review of other plugins and core WordPress installation to ensure no similar input validation weaknesses exist.
  • Monitor logs for suspicious database queries or repeated injection attempts.

Generated by OpenCVE AI on March 26, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpfactory
Wpfactory advanced Woocommerce Product Sales Reporting
Vendors & Products Wordpress
Wordpress wordpress
Wpfactory
Wpfactory advanced Woocommerce Product Sales Reporting

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics allows Blind SQL Injection.This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through <= 4.1.3.
Title WordPress Advanced WooCommerce Product Sales Reporting plugin <= 4.1.3 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Wordpress Wordpress
Wpfactory Advanced Woocommerce Product Sales Reporting
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:07.674Z

Reserved: 2026-01-28T09:50:51.017Z

Link: CVE-2026-24993

cve-icon Vulnrichment

Updated: 2026-03-26T19:12:32.340Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:41.173

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-24993

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:14Z

Weaknesses