Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YITH YITH WooCommerce Product Add-Ons allows Blind SQL Injection.

This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.29.0.
Published: 2026-05-20
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an improper neutralization of special elements in an SQL command that allows an attacker to perform blind SQL injection against the YITH WooCommerce Product Add‑Ons plugin. An attacker can send crafted input to the plugin’s endpoints, causing the database to execute arbitrary SQL statements. This can lead to data exposure, modification, or deletion, compromising the confidentiality, integrity and availability of the store’s transactional data.

Affected Systems

The vulnerability impacts the YITH WooCommerce Product Add‑Ons plugin for WordPress, affecting all installations from the first version up to and including 4.29.0. Versions 4.29.1 and later contain the fix.

Risk and Exploitability

With a CVSS score of 7.6 the vulnerability is considered high severity. The EPSS score is not available, so the current exploitation likelihood is unknown, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via web requests that the plugin processes, meaning an unauthenticated or low‑privileged attacker could trigger the injection if no input validation or parameterization is enforced. Once exploited, the attacker can exfiltrate sensitive customer data or alter order records, which directly threatens the store’s business operations.

Generated by OpenCVE AI on May 20, 2026 at 14:38 UTC.

Remediation

Vendor Solution

Update the WordPress YITH WooCommerce Product Add-Ons Plugin to the latest available version (at least 4.29.1).

OpenCVE Recommended Actions

  • Update the YITH WooCommerce Product Add‑Ons plugin to version 4.29.1 or newer, which removes the injection point.
  • If an immediate update is not feasible, block the vulnerable endpoints or filter payloads using a web‑application firewall to prevent specially crafted SQL strings from reaching the database.
  • Review the database for any unauthorized changes and consider resetting compromised data or changing authentication credentials.

Generated by OpenCVE AI on May 20, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 13:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YITH YITH WooCommerce Product Add-Ons allows Blind SQL Injection. This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.29.0.
Title WordPress YITH WooCommerce Product Add-Ons plugin <= 4.29.0 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-20T15:29:13.270Z

Reserved: 2026-04-27T08:22:05.096Z

Link: CVE-2026-42383

cve-icon Vulnrichment

Updated: 2026-05-20T15:18:58.947Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T13:16:32.333

Modified: 2026-05-20T13:54:54.890

Link: CVE-2026-42383

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T14:45:32Z

Weaknesses