CVE-2026-32459

The UpsellWP WordPress plugin (formerly known as checkout-upsell-and-order-bumps) versions up to and including 2.2.4 suffer from a blind SQL injection vulnerability. The root cause is improper neutralization of special elements used in an SQL command, allowing an attacker to inject malicious SQL queries through unsanitized input fields [1]. This is a classic SQLi flaw in the plugin's database interaction logic.

Attackers can exploit this vulnerability without authentication, making it accessible to any remote attacker. The blind SQL injection technique can be used to extract data piece by piece by observing application responses or timing delays. No special network position or user interaction is required beyond sending crafted HTTP requests to vulnerable endpoints [1].

The impact includes unauthorized access to the underlying WordPress database. An attacker could extract sensitive information such as user credentials, session tokens, and other stored data. The CVSS score of 7.6 reflects the high severity due to the ease of exploitation and potential for data breach [1].

A patched version 2.2.5 has been released to fix the vulnerability. Users are strongly advised to update immediately or enable auto-updates for plugins. The vulnerability has been noted as being used in mass-exploit campaigns targeting thousands of websites, highlighting the urgency of remediation [1].