CVE-2026-42383
Improper SQL Injection in YITH WooCommerce Product Add-Ons
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yith | yith_woocommerce_product_add_ons | From 4.0.0 (inc) to 4.29.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an SQL Injection issue found in the YITH WooCommerce Product Add-Ons plugin for WordPress, affecting versions up to 4.29.0. It allows an attacker with Shop Manager privileges to perform Blind SQL Injection, which means they can send specially crafted SQL commands to the website's database without seeing the direct output.
The vulnerability arises from improper neutralization of special elements used in SQL commands, enabling attackers to manipulate database queries.
How can this vulnerability impact me? :
This vulnerability can allow attackers to interact with the website's database in unauthorized ways, potentially leading to data theft or unauthorized data access.
Although the impact is considered low severity, the CVSS score of 7.6 indicates a moderate risk, meaning it could cause significant harm if exploited.
The attacker needs Shop Manager privileges to exploit this vulnerability, which limits the attack surface but still poses a risk if such credentials are compromised.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Blind SQL Injection in the YITH WooCommerce Product Add-Ons plugin, which requires Shop Manager privileges to exploit. Detection typically involves testing for SQL injection points in the plugin's input fields or parameters.
Common detection methods include using automated vulnerability scanners that support SQL injection detection or manual testing with SQL injection payloads targeting the plugin's inputs.
Specific commands or tools that can be used include:
- Using sqlmap to test the plugin's URL parameters or POST data for SQL injection, e.g.: sqlmap -u "http://example.com/?param=value" --batch
- Using curl or wget to send crafted requests with SQL injection payloads to the plugin's endpoints and observing responses.
- Monitoring web server logs for suspicious input patterns that resemble SQL injection attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to update the YITH WooCommerce Product Add-Ons plugin to version 4.29.1 or later, where this SQL Injection vulnerability has been patched.
Additionally, users of Patchstack can enable auto-updates for vulnerable plugins to ensure timely patching.
Limiting Shop Manager privileges to trusted users can also reduce the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to perform Blind SQL Injection on the affected plugin, potentially enabling unauthorized access to sensitive data stored in the website's database.
Such unauthorized data access can lead to breaches of confidentiality and data integrity, which may result in non-compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.
Therefore, if exploited, this vulnerability could compromise compliance with these common standards and regulations by exposing protected data.