CVE-2026-54815

Deferred Deferred - Pending Action

SQL Injection in Cargo Shipping Location for WooCommerce

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cargo RD Cargo Shipping Location for WooCommerce allows Blind SQL Injection. This issue affects Cargo Shipping Location for WooCommerce: from n/a through 5.6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-17

Last Modified

2026-06-17

Generated

2026-06-17

AI Q&A

2026-06-17

EPSS Evaluated

N/A

NVD

CVE-2026-54815

EUVD

EUVD-2026-37708

Affected Vendors & Products

Vendor	Product	Version / Range
patchstack	cargo_shipping_location_for_woocommerce	to 5.6 (inc)
cargo_shipping_location_for_woocommerce	cargo_shipping_location_for_woocommerce	5.6

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2026-54815 is a SQL Injection vulnerability found in the Cargo Shipping Location for WooCommerce plugin, versions 5.6 and below.

This vulnerability allows unauthenticated attackers to perform Blind SQL Injection attacks, meaning they can send specially crafted SQL commands to the website's database without direct feedback, potentially extracting sensitive data.

The vulnerability arises from improper neutralization of special elements used in SQL commands, enabling attackers to manipulate database queries.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive information stored in the website's database.

Because the vulnerability allows unauthenticated attackers to interact directly with the database, it can lead to data theft and potentially compromise the confidentiality of user and business data.

The CVSS score of 9.3 indicates a high severity, meaning exploitation is likely and can cause significant damage.

Additionally, the vulnerability can cause limited availability issues (low impact on availability) but primarily threatens data confidentiality.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Cargo Shipping Location for WooCommerce plugin to version 5.7 or later, as versions 5.6 and below are vulnerable.

Until the update can be applied, it is advised to implement the mitigation rule provided by Patchstack to block attacks targeting this SQL Injection vulnerability.

Compliance Impact

The SQL Injection vulnerability in Cargo Shipping Location for WooCommerce allows unauthenticated attackers to interact directly with the website's database and potentially steal sensitive information.

Such unauthorized access and potential data theft can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against breaches.

Therefore, if exploited, this vulnerability could result in violations of these standards due to compromised confidentiality and integrity of protected data.

Detection Guidance

This vulnerability is a Blind SQL Injection in the Cargo Shipping Location for WooCommerce plugin versions 5.6 and below. Detection typically involves monitoring for unusual or suspicious SQL queries or HTTP requests targeting the vulnerable plugin endpoints.

While specific commands are not provided in the resources, common detection methods include using web application firewalls (WAF) with rules designed to block SQL injection attempts, inspecting web server logs for suspicious payloads, and using vulnerability scanners that can test for SQL injection.

Patchstack has provided a mitigation rule to block attacks until the plugin is updated, which can be used as a temporary detection and prevention measure.

Hi! I’m here to help you understand CVE-2026-54815. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-54815

SQL Injection in Cargo Shipping Location for WooCommerce

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart