Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cargo RD Cargo Shipping Location for WooCommerce allows Blind SQL Injection.

This issue affects Cargo Shipping Location for WooCommerce: from n/a through 5.6.
Published: 2026-06-17
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cargo Shipping Location for WooCommerce contains an SQL Injection flaw where user input is not properly neutralized before being incorporated into an SQL command. This weakness permits a blind SQL Injection attack, allowing an attacker to query the database, extract sensitive information, modify existing records, or cause unintended data deletion. The compromise could lead to confidentiality, integrity, and availability disruptions for the storefront and backend data.

Affected Systems

The flaw is present in all releases of Cargo Shipping Location for WooCommerce up to and including version 5.6, as disclosed by Cargo RD. The plugin, which extends WooCommerce with custom shipping location logic, is distributed for WordPress sites. Administrators using any affected version are directly exposed to the injection vulnerability. The vulnerability ceased to exist once the plugin version is updated to at least 5.7, which incorporates the vendor's patch.

Risk and Exploitability

The CVSS base score of 9.3 marks the vulnerability as critical, while the EPSS score is not available, meaning the current estimation of exploitation likelihood is unknown. The vulnerability is not listed in CISA's KEV catalog, suggesting it is not known to be actively exploited at the time of assessment. Attackers could exploit this weakness through the web interface that receives shipping location requests, making the attack vector susceptible to network-based intrusion. Inferred from the description, the attacker would need to supply malicious payloads in input fields that are bound to database queries, indicating that remote exploitation via crafted requests is possible.

Generated by OpenCVE AI on June 18, 2026 at 13:50 UTC.

Remediation

Vendor Solution

Update the WordPress Cargo Shipping Location for WooCommerce Plugin to the latest available version (at least 5.7).


OpenCVE Recommended Actions

  • Update the WordPress Cargo Shipping Location for WooCommerce Plugin to the latest available version (at least 5.7).
  • Verify that any custom WooCommerce extensions or theme code interacting with the database properly sanitizes all user inputs.
  • Use a Web Application Firewall to block malicious SQL injection payloads.

Generated by OpenCVE AI on June 18, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Cargo Rd
Cargo Rd cargo Shipping Location For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Cargo Rd
Cargo Rd cargo Shipping Location For Woocommerce
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cargo RD Cargo Shipping Location for WooCommerce allows Blind SQL Injection. This issue affects Cargo Shipping Location for WooCommerce: from n/a through 5.6.
Title WordPress Cargo Shipping Location for WooCommerce plugin <= 5.6 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Cargo Rd Cargo Shipping Location For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:52:13.496Z

Reserved: 2026-06-16T09:21:46.612Z

Link: CVE-2026-54815

cve-icon Vulnrichment

Updated: 2026-06-17T14:51:21.604Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:57:36Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')