What the vulnerability does
01Description
Subscriber SQL Injection in WCMultiShipping <= 3.0.2 versions.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
What the vulnerability does
Subscriber SQL Injection in WCMultiShipping <= 3.0.2 versions.
Explanation of Vulnerability in Simple Terms
WCMultiShipping contains a SQL injection vulnerability in versions up to 3.0.2. An authenticated user with low privileges can inject malicious SQL commands through unfiltered input, potentially reading sensitive database records and disrupting site availability. The vulnerability affects the entire WooCommerce installation due to scope change.
What an attacker can do
Read sensitive database records and cause partial site unavailability through SQL injection.
Potential impact on your site
Customer data, order information, and other database records may be exposed; site performance may degrade.
Conditions required to exploit
Attacker must have a low-privilege WooCommerce account (e.g., customer or subscriber role).
Key dates
External resources
Related vulnerabilities