{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24993", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:51.017Z", "datePublished": "2026-03-25T16:14:36.347Z", "dateUpdated": "2026-04-28T16:14:52.690Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "webd-woocommerce-advanced-reporting-statistics", "product": "Advanced WooCommerce Product Sales Reporting", "vendor": "WPFactory", "versions": [{"changes": [{"at": "4.1.4", "status": "unaffected"}], "lessThanOrEqual": "4.1.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Que Thanh Tuan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:30.635Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics allows Blind SQL Injection.<p>This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through <= 4.1.3.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics allows Blind SQL Injection.This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through <= 4.1.3."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:52.690Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/webd-woocommerce-advanced-reporting-statistics/vulnerability/wordpress-advanced-woocommerce-product-sales-reporting-plugin-4-1-3-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Advanced WooCommerce Product Sales Reporting plugin <= 4.1.3 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T19:12:20.950210Z", "id": "CVE-2026-24993", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:39:43.502Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24993", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T19:12:20.950210Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:12:32.340Z"}}], "cna": {"title": "WordPress Advanced WooCommerce Product Sales Reporting plugin <= 4.1.3 - SQL Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Que Thanh Tuan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WPFactory", "product": "Advanced WooCommerce Product Sales Reporting", "versions": [{"status": "affected", "changes": [{"at": "4.1.4", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "4.1.3"}], "packageName": "webd-woocommerce-advanced-reporting-statistics", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:30.635Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/webd-woocommerce-advanced-reporting-statistics/vulnerability/wordpress-advanced-woocommerce-product-sales-reporting-plugin-4-1-3-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics allows Blind SQL Injection.This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through <= 4.1.3.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics allows Blind SQL Injection.<p>This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through <= 4.1.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:07.674Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24993", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:39:43.502Z", "dateReserved": "2026-01-28T09:50:51.017Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:36.347Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics allows Blind SQL Injection.This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through <= 4.1.3."}, {"lang": "es", "value": "Neutralizaci\u00f3n incorrecta de elementos especiales utilizados en un comando SQL ('inyecci\u00f3n SQL') vulnerabilidad en WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics permite inyecci\u00f3n SQL ciega. Este problema afecta a Advanced WooCommerce Product Sales Reporting: desde n/d hasta &lt;= 4.1.3."}], "id": "CVE-2026-24993", "lastModified": "2026-04-24T16:32:53.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:41.173", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/webd-woocommerce-advanced-reporting-statistics/vulnerability/wordpress-advanced-woocommerce-product-sales-reporting-plugin-4-1-3-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.1.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Advanced WooCommerce Product Sales Reporting", "source": "cna", "vendor": "WPFactory"}, "product": "advanced_woocommerce_product_sales_reporting", "vendor": "wpfactory"}], "analysis": {"en": {"generated_at": "2026-03-26T20:28:35.976239+00:00", "value": {"mitigation_remediation": ["Update the Advanced WooCommerce Product Sales Reporting plugin to version 4.1.4 or newer.", "Verify that the new version contains the applied fix and test functionality.", "If an update is not immediately available, temporarily restrict access to the plugin\u2019s administrative pages and consider applying a web application firewall rule to block SQL injection payloads.", "Perform a review of other plugins and core WordPress installation to ensure no similar input validation weaknesses exist.", "Monitor logs for suspicious database queries or repeated injection attempts."], "summary": {"action": "Patch", "impact": "SQL Injection \u2013 blind execution leading to data exposure or manipulation"}, "threat_synthesis": {"affected_systems": "The affected product is the WordPress plugin Advanced WooCommerce Product Sales Reporting developed by WPFactory. Versions from the initial release through 4.1.3 (inclusive) are vulnerable. Users running any of these releases should consider upgrading.", "description_and_impact": "The vulnerability is a blind SQL injection flaw caused by improper sanitization of user input in WPFactory's Advanced WooCommerce Product Sales Reporting plugin. An attacker can send crafted queries that are executed on the underlying database, potentially allowing confidential data to be read, modified, or deleted. The weakness is a classic Injection flaw as defined by CWE-89.", "risk_and_exploitability": "The CVSS score of 9.3 classifies the issue as critical, indicating high severity. The EPSS score is less than 1\u202f%, suggesting low likelihood of exploitation in the wild, and it is not listed in the CISA KEV catalog. Attackers would need to interact with the plugin\u2019s input fields, likely via the WordPress administration interface or possibly exposed front\u2011end endpoints, and rely on a blind injection technique where they infer database information through timing or boolean responses."}}}}, "created": "2026-03-25T21:34:24.680913+00:00", "updated": "2026-03-27T09:46:14.950567+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpfactory", "wpfactory$PRODUCT$advanced_woocommerce_product_sales_reporting"]}