CVE-2026-57773
Zorem Advanced · Advanced Shipment Tracking for WooCommerce
A blind SQL injection vulnerability in the Advanced Shipment Tracking for WooCommerce plugin allows authenticated attackers with administrative privileges to execute arbitrary SQL commands.
Executive summary
A blind SQL injection vulnerability in the Advanced Shipment Tracking for WooCommerce plugin could allow an authenticated administrator to compromise the application database.
Vulnerability
The plugin fails to properly sanitize user-supplied input before using it in SQL queries, resulting in a blind SQL injection vulnerability. Per the CVSS vector (PR:H), this attack requires administrative-level authentication.
Business impact
Successful exploitation of this vulnerability allows an attacker to manipulate backend database queries, potentially leading to unauthorized data exfiltration or modification. While the CVSS score of 7.6 reflects a high severity due to the potential for impact on confidentiality, the requirement for administrative privileges limits the immediate attack surface to privileged users.
Remediation
Immediate Action: Update the "Advanced Shipment Tracking for WooCommerce" plugin to version 4.0.1 or later immediately.
Proactive Monitoring: Monitor database query logs for unusual patterns, such as unexpected syntax or queries originating from administrative accounts that typically do not perform such actions.
Compensating Controls: Ensure that database service accounts operate with the principle of least privilege, restricting access only to the tables necessary for plugin functionality.
Exploitation status
Public Exploit Available: No (exploit_available: false)
Analyst recommendation
Given the risk of unauthorized database access, administrators should prioritize updating the plugin to the patched version 4.0.1. Verify the integrity of the database environment following the update to ensure no unauthorized modifications have occurred.