Description
Unauthenticated SQL Injection in Order Delivery Date for WooCommerce <= 4.5.1 versions.
Published: 2026-06-15
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated SQL injection in the Order Delivery Date for WooCommerce plugin for WordPress. It allows attackers to inject arbitrary SQL statements into the plugin’s queries, potentially leading to data exfiltration, data modification, or full compromise of the WordPress database. The weakness is identified as CWE‑89.

Affected Systems

The affected product is the WordPress plugin Order Delivery Date for WooCommerce by tychesoftwares. Versions 4.5.1 and earlier are vulnerable. Any WordPress site running these plugin versions is at risk.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity flaw, while an EPSS score of less than 1% suggests a low current exploitation probability. The lack of an authentication requirement means a potential attacker could exploit the flaw from any web‑accessible location. The likely attack vector is through the plugin’s publicly accessible date handling endpoints; this inference is drawn from the absence of access controls and typical exposure of plugin hooks. The vulnerability is not yet listed in CISA’s KEV catalog, but its potential impact warrants immediate attention.

Generated by OpenCVE AI on June 16, 2026 at 23:19 UTC.

Remediation

Vendor Solution

Update the WordPress Order Delivery Date for WooCommerce Plugin to the latest available version (at least 4.5.2).

OpenCVE Recommended Actions

  • Apply the latest plugin update (at least v4.5.2) from tychesoftwares immediately.
  • If an update cannot be applied immediately, disable or delete the Order Delivery Date for WooCommerce plugin to block the vulnerable code paths.
  • Implement temporary traffic monitoring or firewall rules to detect and block suspicious SQL injection attempts against the website.

Generated by OpenCVE AI on June 16, 2026 at 23:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Tychesoftwares
Tychesoftwares order Delivery Date For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Tychesoftwares
Tychesoftwares order Delivery Date For Woocommerce
Wordpress
Wordpress wordpress
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in Order Delivery Date for WooCommerce <= 4.5.1 versions.
Title WordPress Order Delivery Date for WooCommerce plugin <= 4.5.1 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Tychesoftwares Order Delivery Date For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T01:27:31.842Z

Reserved: 2026-04-27T08:22:05.096Z

Link: CVE-2026-42386

cve-icon Vulnrichment

Updated: 2026-06-16T01:27:26.747Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:54.233

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-42386

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T23:30:15Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')