An SQL injection flaw in the WCMultiShipping plugin permits authenticated subscribers to execute unauthorized database operations, threatening data integrity.

The vulnerability is a SQL injection triggered by improper input validation within the plugin. An attacker with subscriber-level authentication can leverage this to execute arbitrary SQL commands against the database.

This vulnerability carries a CVSS score of 8.5, indicating a high risk of unauthorized data access and potential database manipulation. Business operations relying on this plugin face significant exposure, including the potential for data exfiltration and unauthorized modification of shipping records.

Immediate Action: Update the WCMultiShipping plugin to the latest version provided by the vendor to resolve the injection point.

Proactive Monitoring: Review database access logs for anomalous, high-volume, or malformed queries that deviate from standard plugin behavior.

Compensating Controls: Deploy WAF rules designed to filter SQL syntax from incoming web requests to intercept exploitation attempts.

Public Exploit Available: false

Security teams must treat this as a high-priority issue. Ensure all installations of WCMultiShipping are audited for version compliance and apply vendor-supplied patches immediately upon release to mitigate the risk of database compromise.