CVE-2026-42383

Vulnerability

The YITH WooCommerce Product Add-Ons plugin for WordPress versions up to 4.29.0 fails to properly neutralize special elements used in SQL commands, leading to a blind SQL injection vulnerability. The issue exists in the plugin's handling of user-supplied input within product add-on fields. Affected versions: from n/a through 4.29.0 [1].

Exploitation

An attacker can exploit this vulnerability without authentication by sending crafted HTTP requests to the WordPress site, injecting malicious SQL queries. The blind nature means the attacker may not see direct output but can infer information based on response timing or error messages. The vulnerability is reportedly used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation allows an attacker to interact with the underlying database, potentially extracting sensitive information such as user credentials, personal data, or other stored content. The CVSS score is 7.6 (High), indicating significant confidentiality impact [1].

Mitigation

The vulnerability is fixed in version 4.29.1. Users should update to this version immediately. If unable to update, consider contacting hosting provider or web developer for assistance. Patchstack users can enable auto-update for vulnerable plugins [1].