CVE-2026-52700

Vulnerability

The WCMultiShipping plugin for WordPress versions up to and including 3.0.2 contains a SQL injection vulnerability that can be exploited by authenticated users with Subscriber-level access. The flaw exists in an unspecified parameter, allowing direct database interaction. [1]

Exploitation

An attacker needs only a valid WordPress subscriber account to exploit this vulnerability. No additional privileges or special conditions are required. The attacker can craft malicious input that bypasses sanitization and injects SQL commands into database queries. [1]

Impact

Successful exploitation allows an attacker to read, modify, or delete arbitrary data from the WordPress database, potentially leading to information disclosure, privilege escalation, or complete site compromise. The vulnerability is considered highly dangerous and is expected to be used in mass-exploit campaigns. [1]

Mitigation

The vulnerability is fixed in version 3.0.3 of the plugin. Users are strongly advised to update immediately. If unable to update, consider using a web application firewall or the mitigation rule provided by Patchstack. [1]