{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31920", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-10T10:59:45.899Z", "datePublished": "2026-03-25T16:14:57.049Z", "dateUpdated": "2026-03-26T14:14:03.249Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "products-rearrange-woocommerce", "product": "Product Rearrange for WooCommerce", "vendor": "Devteam HaywoodTech", "versions": [{"lessThanOrEqual": "<= 1.2.2", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "hivesec | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:35.867Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Devteam HaywoodTech Product Rearrange for WooCommerce products-rearrange-woocommerce allows Blind SQL Injection.<p>This issue affects Product Rearrange for WooCommerce: from n/a through <= 1.2.2.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Devteam HaywoodTech Product Rearrange for WooCommerce products-rearrange-woocommerce allows Blind SQL Injection.This issue affects Product Rearrange for WooCommerce: from n/a through <= 1.2.2."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:57.049Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/products-rearrange-woocommerce/vulnerability/wordpress-product-rearrange-for-woocommerce-plugin-1-2-2-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Product Rearrange for WooCommerce plugin <= 1.2.2 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T14:13:56.578009Z", "id": "CVE-2026-31920", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:14:03.249Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-31920", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T14:13:56.578009Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:13:38.852Z"}}], "cna": {"title": "WordPress Product Rearrange for WooCommerce plugin <= 1.2.2 - SQL Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "hivesec | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "affected": [{"vendor": "Devteam HaywoodTech", "product": "Product Rearrange for WooCommerce", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 1.2.2"}], "packageName": "products-rearrange-woocommerce", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:35.867Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/products-rearrange-woocommerce/vulnerability/wordpress-product-rearrange-for-woocommerce-plugin-1-2-2-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Devteam HaywoodTech Product Rearrange for WooCommerce products-rearrange-woocommerce allows Blind SQL Injection.This issue affects Product Rearrange for WooCommerce: from n/a through <= 1.2.2.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Devteam HaywoodTech Product Rearrange for WooCommerce products-rearrange-woocommerce allows Blind SQL Injection.<p>This issue affects Product Rearrange for WooCommerce: from n/a through <= 1.2.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:57.049Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31920", "state": "PUBLISHED", "dateUpdated": "2026-03-26T14:14:03.249Z", "dateReserved": "2026-03-10T10:59:45.899Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:57.049Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Devteam HaywoodTech Product Rearrange for WooCommerce products-rearrange-woocommerce allows Blind SQL Injection.This issue affects Product Rearrange for WooCommerce: from n/a through <= 1.2.2."}], "id": "CVE-2026-31920", "lastModified": "2026-03-26T15:16:36.920", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:58.783", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/products-rearrange-woocommerce/vulnerability/wordpress-product-rearrange-for-woocommerce-plugin-1-2-2-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Product Rearrange for WooCommerce", "source": "cna", "vendor": "Devteam HaywoodTech"}, "product": "product_rearrange_for_woocommerce", "vendor": "devteam_haywoodtech"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T18:39:03.898590+00:00", "value": {"mitigation_remediation": ["Upgrade the \"Product Rearrange for WooCommerce\" plugin to the latest available version; a fixed release is expected to remove the injection point.", "If no update is immediately available, temporarily deactivate or uninstall the plugin to eliminate the attack surface.", "Apply any other WordPress security updates and ensure the database connections use strong authentication and least-privilege permissions.", "Monitor database logs for unusual query patterns that might indicate an attempted exploitation.", "Stay alert for vendor advisories or security bulletins related to this plugin to apply fixes when released."], "summary": {"action": "Immediate Patch", "impact": "Database Compromise via Blind SQL Injection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Devteam HaywoodTech \"Product Rearrange for WooCommerce\" plugin for all releases up to and including version 1.2.2. No higher versions are listed as affected, and lower bound information is not specified in the advisory.", "description_and_impact": "Improper handling of special characters in the SQL command of the WordPress \"Product Rearrange for WooCommerce\" plugin creates a blind SQL injection flaw. An attacker could craft queries that are executed by the database, enabling extraction of sensitive data or modification of stored information. Because the injection is blind, the attacker can infer information by observing timing or error responses, which still allows exhaustive discovery of database contents over time.", "risk_and_exploitability": "The CVSS score is not provided, but the capacity to read or alter database contents indicates a high severity. EPSS and KEV data are unavailable, so the likelihood of exploitation cannot be quantified from the data. The attack vector is inferred to be via HTTP requests targeting the plugin\u2019s functionality, as is typical for WordPress plugins. Given the blind nature of the injection, exploitation may require persistence and careful analysis, but the potential impact remains substantial."}}}}, "created": "2026-03-25T21:43:47.157781+00:00", "updated": "2026-03-26T11:37:45.897826+00:00", "vendors": ["devteam_haywoodtech", "devteam_haywoodtech$PRODUCT$product_rearrange_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}