Description
The WowStore – Store Builder & Product Blocks for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the ‘search’ parameter in all versions up to, and including, 4.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-03-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated SQL Injection allowing database data extraction
Action: Immediate Patch
AI Analysis

Impact

The WowStore – Store Builder & Product Blocks for WooCommerce plugin is vulnerable to SQL Injection via the ‘search’ parameter in all versions up to and including 4.4.3. The vulnerability results from insufficient escaping of the user-supplied value and lack of preparation on the existing SQL query, which enables an attacker to append additional SQL statements and retrieve sensitive database content. This flaw leads to potential data exposure of confidential information stored in the WordPress database.

Affected Systems

WordPress sites that have installed the WowStore – Store Builder & Product Blocks for WooCommerce plugin, version 4.4.3 or earlier. The vendor identified the issue as affecting all releases up to 4.4.3.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting that public exploitation has not yet been observed. The attack vector is unauthenticated, requiring only that an attacker knows the URL of a page that accepts the 'search' parameter or the REST API endpoint that processes it. Because the flaw is in the application logic rather than the web server, it can be exploited without special privileges, making it a convincing threat for attackers with limited resources.

Generated by OpenCVE AI on March 17, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WowStore – Store Builder & Product Blocks for WooCommerce to a version newer than 4.4.3 (if an update is available).
  • If an immediate update is not possible, block unauthenticated access to any endpoint that accepts the 'search' parameter using a web application firewall or server configuration.
  • Verify that the 'search' parameter is no longer directly used in raw SQL queries by inspecting the plugin source or reviewing application logs.

Generated by OpenCVE AI on March 17, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpxpo
Wpxpo wowstore – Store Builder & Product Blocks For Woocommerce
Vendors & Products Wordpress
Wordpress wordpress
Wpxpo
Wpxpo wowstore – Store Builder & Product Blocks For Woocommerce

Tue, 17 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description The WowStore – Store Builder & Product Blocks for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the ‘search’ parameter in all versions up to, and including, 4.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title WowStore – Store Builder & Product Blocks for WooCommerce <= 4.4.3 - Unauthenticated SQL Injection via 'search' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Wpxpo Wowstore – Store Builder & Product Blocks For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-17T13:27:36.715Z

Reserved: 2026-02-16T10:18:10.326Z

Link: CVE-2026-2579

cve-icon Vulnrichment

Updated: 2026-03-17T13:27:32.946Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-17T02:16:13.860

Modified: 2026-03-17T14:20:01.670

Link: CVE-2026-2579

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:38Z

Weaknesses