Impact
The vulnerability is a classic SQL injection flaw in the subscriber handling logic of the WCMultiShipping plugin versions up to 3.0.2. An attacker can supply crafted input that is injected directly into database queries, allowing unauthorized read or write operations. This can result in disclosure of sensitive user data, modification of orders, or other database integrity violations. The weakness is identified as CWE-89.
Affected Systems
Vendors: WcMultishipping – Mondial Relay & Chronopost for WooCommerce:WCMultiShipping. Product: WordPress WCMultiShipping plugin. Affected versions: all releases of the plugin prior to and including 3.0.2; the fixed version is 3.0.3.
Risk and Exploitability
The CVSS score of 8.5 indicates a high severity vulnerability. Despite the EPSS score being less than 1%, meaning low current exploit probability, the lack of presence in the CISA KEV catalog does not negate the risk. The likely attack vector is through the web interface where subscriber data is entered; based on the description, the flaw appears exploitable with standard web requests. A successful exploit could enable an attacker to read or tamper with database contents.
OpenCVE Enrichment