Impact
Cargo Shipping Location for WooCommerce contains an SQL Injection flaw where user input is not properly neutralized before being incorporated into an SQL command. This weakness permits a blind SQL Injection attack, allowing an attacker to query the database, extract sensitive information, modify existing records, or cause unintended data deletion. The compromise could lead to confidentiality, integrity, and availability disruptions for the storefront and backend data.
Affected Systems
The flaw is present in all releases of Cargo Shipping Location for WooCommerce up to and including version 5.6, as disclosed by Cargo RD. The plugin, which extends WooCommerce with custom shipping location logic, is distributed for WordPress sites. Administrators using any affected version are directly exposed to the injection vulnerability. The vulnerability ceased to exist once the plugin version is updated to at least 5.7, which incorporates the vendor's patch.
Risk and Exploitability
The CVSS base score of 9.3 marks the vulnerability as critical, while the EPSS score is not available, meaning the current estimation of exploitation likelihood is unknown. The vulnerability is not listed in CISA's KEV catalog, suggesting it is not known to be actively exploited at the time of assessment. Attackers could exploit this weakness through the web interface that receives shipping location requests, making the attack vector susceptible to network-based intrusion. Inferred from the description, the attacker would need to supply malicious payloads in input fields that are bound to database queries, indicating that remote exploitation via crafted requests is possible.
OpenCVE Enrichment