CVE-2026-45211

Vulnerability

Overview

The APIExperts Square for WooCommerce plugin (woosquare) for WordPress, versions up to and including 4.7.1, contains a blind SQL injection vulnerability. The root cause is improper neutralization of special elements used in an SQL command, allowing an attacker to inject malicious SQL queries through the plugin's input fields [1].

Exploitation

Details

This vulnerability can be exploited without authentication, making it accessible to any remote attacker. The blind SQL injection technique means the attacker does not receive direct database output but can infer information through boolean-based or time-based responses. The attack surface is broad because the plugin is widely deployed on WordPress sites, and such vulnerabilities are frequently used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].

Impact

Successful exploitation allows an attacker to interact directly with the underlying database. This can lead to the extraction of sensitive information, including user credentials, personal data, and other stored content. The CVSS v3 score of 8.5 (High) reflects the potential for significant confidentiality impact [1].

Mitigation

The vendor has released version 4.7.2, which patches the vulnerability. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins to streamline the patching process [1].