Description
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through a four-step exploitation chain. The attack exploits unsanitized widget settings interpolated into SQL expressions, combined with PDO's default multi-statement query support, to inject a maliciously serialized PHP object into the queue table. When the queue consumer processes the injected job, the unrestricted unserialize() call in yii2-queue instantiates a GuzzleHttp FileCookieJar gadget chain whose __destruct() method writes a PHP webshell to the server's webroot. The complete chain requires only three HTTP requests, no administrative privileges, and results in arbitrary command execution as the PHP process user, with queue processing triggered via an unauthenticated endpoint. This issue has been fixed in versions 4.10.3 and 5.5.5.
Published: 2026-04-13
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

Craft Commerce is vulnerable to an SQL injection flaw within the TotalRevenue widget. Unsanitized widget settings are inserted directly into SQL expressions, allowing a logged‑in control‑panel user to inject a malicious PHP object. Through PDO’s default multi‑statement support this object is added to the queue table. When the Yii2‑queue consumer processes the job it unserializes the injected payload, triggering a GuzzleHttp FileCookieJar gadget that writes a PHP webshell to the site’s webroot. The entire exploit chain requires only three HTTP requests, no administrative privileges, and results in arbitrary command execution as the web‑server’s PHP process.

Affected Systems

The vulnerability affects Craft Commerce releases 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4 when the TotalRevenue widget is in use. Versions 4.10.3 and later, and 5.5.5 and later, contain the fix and are not affected.

Risk and Exploitability

The CVSS score of 7.7 assigns this flaw a high severity. Since the EPSS score is not available, the likelihood of exploitation cannot be quantified, but the exploit requires only minimal effort: three HTTP requests, an authenticated control‑panel login, and an unauthenticated queue consumer endpoint. The vulnerability is not currently listed in CISA’s KEV catalog. The impact is full arbitrary command execution, which can lead to complete server compromise if the web‑server user owns critical resources.

Generated by OpenCVE AI on April 13, 2026 at 21:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Craft Commerce update (4.10.3 or higher, or 5.5.5 or higher).
  • Disable or remove the TotalRevenue widget until the update is applied.
  • If immediate patching is not possible, restrict or disable the queue consumer endpoint to prevent processed jobs from executing.

Generated by OpenCVE AI on April 13, 2026 at 21:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-875v-7m49-8x88 Craft Commerce has a SQL Injection can lead to Remote Code Execution via TotalRevenue Widget
History

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms commerce
Vendors & Products Craftcms
Craftcms commerce

Mon, 13 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through a four-step exploitation chain. The attack exploits unsanitized widget settings interpolated into SQL expressions, combined with PDO's default multi-statement query support, to inject a maliciously serialized PHP object into the queue table. When the queue consumer processes the injected job, the unrestricted unserialize() call in yii2-queue instantiates a GuzzleHttp FileCookieJar gadget chain whose __destruct() method writes a PHP webshell to the server's webroot. The complete chain requires only three HTTP requests, no administrative privileges, and results in arbitrary command execution as the PHP process user, with queue processing triggered via an unauthenticated endpoint. This issue has been fixed in versions 4.10.3 and 5.5.5.
Title Craft Commerce: SQL Injection can lead to Remote Code Execution via TotalRevenue Widget
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T13:26:40.649Z

Reserved: 2026-03-11T15:05:48.400Z

Link: CVE-2026-32271

cve-icon Vulnrichment

Updated: 2026-04-16T13:26:21.461Z

cve-icon NVD

Status : Deferred

Published: 2026-04-13T21:16:24.260

Modified: 2026-04-17T15:26:57.017

Link: CVE-2026-32271

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:23Z

Weaknesses