CVE-2026-42383

YITH · WooCommerce Product Add-Ons

A Blind SQL Injection vulnerability exists in the YITH WooCommerce Product Add-Ons plugin due to improper neutralization of special elements in SQL commands.

Executive summary

A critical SQL injection vulnerability in the YITH WooCommerce Product Add-Ons plugin could allow an attacker to extract sensitive database information.

Vulnerability

The vulnerability is an Improper Neutralization of Special Elements used in an SQL Command, specifically facilitating Blind SQL Injection. This flaw allows an attacker to interact with the backend database in an unauthorized manner.

Business impact

This vulnerability poses a significant risk to data confidentiality, as attackers could potentially exfiltrate customer data, credentials, or sensitive business information. With a CVSS score of 7.6, the risk is classified as High, necessitating rapid remediation to prevent unauthorized data exposure and potential regulatory compliance violations.

Remediation

Immediate Action: Update the YITH WooCommerce Product Add-Ons plugin to the latest version provided by the vendor.

Proactive Monitoring: Enable database query logging and monitor for anomalous patterns or large volumes of unexpected queries that may indicate automated injection attempts.

Compensating Controls: Deploy a Web Application Firewall (WAF) with updated rulesets designed to detect and block common SQL injection patterns targeting WordPress plugins.

Exploitation status

Public Exploit Available: false

Analyst recommendation

SQL injection remains a primary vector for data theft in web applications. Administrators are strongly urged to verify their current plugin version and apply the vendor patch immediately to mitigate the risk of data compromise.