CVE-2026-42727

Deferred Deferred - Pending Action

Blind SQL Injection in Active Products Tables for WooCommerce

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: Patchstack

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 Active Products Tables for WooCommerce profit-products-tables-for-woocommerce allows Blind SQL Injection.This issue affects Active Products Tables for WooCommerce: from n/a through <= 1.0.8.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-27

Last Modified

2026-05-27

Generated

2026-06-16

AI Q&A

2026-05-27

EPSS Evaluated

2026-06-15

NVD

CVE-2026-42727

EUVD

EUVD-2026-32181

Affected Vendors & Products

Vendor	Product	Version / Range
realmag777	active_products_tables_for_woocommerce	to 1.0.8 (inc)
realmag777	active_products_tables_for_woocommerce	From 1.0.0 (inc) to 1.0.8 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

This vulnerability is a SQL Injection flaw found in the WordPress plugin "Active Products Tables for WooCommerce" version 1.0.8 or lower. It allows attackers to inject malicious SQL commands into the website's database queries without proper neutralization of special elements. Specifically, it is a Blind SQL Injection, meaning attackers can extract information from the database even though the results are not directly visible.

The vulnerability is highly dangerous and has a CVSS severity score of 9.3, indicating a critical risk. It falls under the OWASP Top 10 category A3: Injection, which is one of the most common and severe web application security risks.

Compliance Impact

The SQL Injection vulnerability in Active Products Tables for WooCommerce allows attackers to interact directly with the website's database, potentially stealing sensitive information.

Such unauthorized access and data theft can lead to violations of data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive data from breaches.

Therefore, this vulnerability poses a significant risk to compliance with these common standards and regulations by exposing sensitive data to attackers.

Impact Analysis

Exploitation of this vulnerability allows attackers to interact directly with the website's database. This can lead to unauthorized access to sensitive information stored in the database, such as user data, product details, or other confidential information.

Because it is a Blind SQL Injection, attackers can extract data even without direct feedback from the system, making it harder to detect and potentially enabling mass-exploit campaigns targeting many websites using this plugin.

The vulnerability also has a high impact on confidentiality (C:H) and a low impact on availability (A:L), meaning it primarily risks data theft rather than service disruption.

Detection Guidance

The vulnerability is a Blind SQL Injection in the WordPress plugin "Active Products Tables for WooCommerce" version 1.0.8 or lower. Detection typically involves monitoring for unusual or suspicious SQL queries or web requests targeting the plugin's endpoints.

While specific commands are not provided in the resources, common detection methods include using web application firewalls (WAF) with rules to detect SQL injection patterns, analyzing web server logs for suspicious payloads, or using vulnerability scanners that target SQL injection vulnerabilities in WordPress plugins.

Patchstack has provided a mitigation rule to block attacks until the plugin is updated, which can also help in detecting exploitation attempts.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the "Active Products Tables for WooCommerce" plugin to version 1.0.9 or later, where the vulnerability is patched.

Until the update can be applied, users are advised to implement the mitigation rule provided by Patchstack to block attacks targeting this SQL injection vulnerability.

Additionally, monitoring for suspicious activity and restricting access to the plugin's endpoints can help reduce the risk of exploitation.

Hi! I’m here to help you understand CVE-2026-42727. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-42727

Blind SQL Injection in Active Products Tables for WooCommerce

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart