CVE-2026-42386

Vulnerability

An unauthenticated SQL Injection vulnerability exists in the WordPress plugin Order Delivery Date for WooCommerce in versions up to and including 4.5.1 [1]. The flaw resides in insufficient sanitization of user-supplied input, allowing an attacker to inject arbitrary SQL queries without requiring any authentication.

Exploitation

An attacker can exploit this vulnerability remotely over HTTP without any prior authentication or user interaction. By sending a crafted request containing malicious SQL payloads as part of a vulnerable parameter, the attacker can inject commands that are executed against the plugin’s database queries [1]. No special network position is required; the attack can be carried out from any internet-connected location.

Impact

Successful exploitation grants the attacker the ability to directly interact with the underlying WordPress database. This can lead to unauthorized extraction of sensitive information such as user credentials, order details, and other stored data, as well as potential modification or deletion of database content [1]. Given the CVSS v3 score of 9.3 (Critical), the impact is severe and could result in full site compromise.

Mitigation

The vendor has released a patched version 4.5.2 to address the vulnerability [1]. All users are strongly advised to update to this version immediately. If immediate updating is not possible, applying a virtual patch or mitigation rule (e.g., from Patchstack) can block exploitation attempts until the update is performed [1]. This vulnerability is expected to be used in mass-exploit campaigns, making prompt mitigation essential.