What the vulnerability does
01Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YayExtra yayextra allows SQL Injection.This issue affects YayExtra: from n/a through <= 1.5.5.
Explanation of Vulnerability in Simple Terms
02Summary
YayExtra versions up to 1.5.5 contain a SQL injection vulnerability in a high-privilege function. An authenticated administrator can craft malicious input to execute arbitrary SQL queries, potentially reading sensitive database records or causing service disruption. The vulnerability requires admin-level access and does not affect data integrity. Update to version 2.0.3 or later.
What an attacker can do
03Attacker Capabilities
Read sensitive database records or cause the site to become unavailable.
Potential impact on your site
04Site Impact
An admin account compromise could expose your database or disrupt site availability.
Conditions required to exploit
05Prerequisites
Attacker must have administrator-level access to the site.
Key dates
06Disclosure timeline
July 16, 2025
CVE published
April 28, 2026
Record updated