CVE-2026-42383

Deferred Deferred - Pending Action

Improper SQL Injection in YITH WooCommerce Product Add-Ons

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: Patchstack

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YITH YITH WooCommerce Product Add-Ons allows Blind SQL Injection. This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.29.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-20

Last Modified

2026-05-20

Generated

2026-06-10

AI Q&A

2026-05-20

EPSS Evaluated

2026-06-08

NVD

CVE-2026-42383

EUVD

EUVD-2026-31098

Affected Vendors & Products

Vendor	Product	Version / Range
yith	yith_woocommerce_product_add_ons	From 4.0.0 (inc) to 4.29.0 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

This vulnerability is an SQL Injection issue found in the YITH WooCommerce Product Add-Ons plugin for WordPress, affecting versions up to 4.29.0. It allows an attacker with Shop Manager privileges to perform Blind SQL Injection, which means they can send specially crafted SQL commands to the website's database without seeing the direct output.

The vulnerability arises from improper neutralization of special elements used in SQL commands, enabling attackers to manipulate database queries.

Impact Analysis

This vulnerability can allow attackers to interact with the website's database in unauthorized ways, potentially leading to data theft or unauthorized data access.

Although the impact is considered low severity, the CVSS score of 7.6 indicates a moderate risk, meaning it could cause significant harm if exploited.

The attacker needs Shop Manager privileges to exploit this vulnerability, which limits the attack surface but still poses a risk if such credentials are compromised.

Detection Guidance

This vulnerability is a Blind SQL Injection in the YITH WooCommerce Product Add-Ons plugin, which requires Shop Manager privileges to exploit. Detection typically involves testing for SQL injection points in the plugin's input fields or parameters.

Common detection methods include using automated vulnerability scanners that support SQL injection detection or manual testing with SQL injection payloads targeting the plugin's inputs.

Specific commands or tools that can be used include:

Using sqlmap to test the plugin's URL parameters or POST data for SQL injection, e.g.: sqlmap -u "http://example.com/?param=value" --batch
Using curl or wget to send crafted requests with SQL injection payloads to the plugin's endpoints and observing responses.
Monitoring web server logs for suspicious input patterns that resemble SQL injection attempts.

Mitigation Strategies

The immediate and recommended mitigation step is to update the YITH WooCommerce Product Add-Ons plugin to version 4.29.1 or later, where this SQL Injection vulnerability has been patched.

Additionally, users of Patchstack can enable auto-updates for vulnerable plugins to ensure timely patching.

Limiting Shop Manager privileges to trusted users can also reduce the risk of exploitation.

Compliance Impact

The vulnerability allows attackers to perform Blind SQL Injection on the affected plugin, potentially enabling unauthorized access to sensitive data stored in the website's database.

Such unauthorized data access can lead to breaches of confidentiality and data integrity, which may result in non-compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.

Therefore, if exploited, this vulnerability could compromise compliance with these common standards and regulations by exposing protected data.

Hi! I’m here to help you understand CVE-2026-42383. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-42383

Improper SQL Injection in YITH WooCommerce Product Add-Ons

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart