{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24993", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:51.017Z", "datePublished": "2026-03-25T16:14:36.347Z", "dateUpdated": "2026-03-26T19:12:34.999Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "webd-woocommerce-advanced-reporting-statistics", "product": "Advanced WooCommerce Product Sales Reporting", "vendor": "WPFactory", "versions": [{"changes": [{"at": "4.1.4", "status": "unaffected"}], "lessThanOrEqual": "<= 4.1.3", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Que Thanh Tuan | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:17.127Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics allows Blind SQL Injection.<p>This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through <= 4.1.3.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics allows Blind SQL Injection.This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through <= 4.1.3."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:36.347Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/webd-woocommerce-advanced-reporting-statistics/vulnerability/wordpress-advanced-woocommerce-product-sales-reporting-plugin-4-1-3-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Advanced WooCommerce Product Sales Reporting plugin <= 4.1.3 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T19:12:20.950210Z", "id": "CVE-2026-24993", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:12:34.999Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics allows Blind SQL Injection.This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through <= 4.1.3."}, {"lang": "es", "value": "Neutralizaci\u00f3n incorrecta de elementos especiales utilizados en un comando SQL ('inyecci\u00f3n SQL') vulnerabilidad en WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics permite inyecci\u00f3n SQL ciega. Este problema afecta a Advanced WooCommerce Product Sales Reporting: desde n/d hasta &lt;= 4.1.3."}], "id": "CVE-2026-24993", "lastModified": "2026-03-26T19:16:37.087", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:41.173", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/webd-woocommerce-advanced-reporting-statistics/vulnerability/wordpress-advanced-woocommerce-product-sales-reporting-plugin-4-1-3-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.1.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Advanced WooCommerce Product Sales Reporting", "source": "cna", "vendor": "WPFactory"}, "product": "advanced_woocommerce_product_sales_reporting", "vendor": "wpfactory"}], "analysis": {"en": {"generated_at": "2026-03-25T17:36:30.549711+00:00", "value": {"mitigation_remediation": ["Upgrade the WPFactory Advanced WooCommerce Product Sales Reporting plugin to a version newer than 4.1.3", "If an upgrade is not immediately possible, restrict access to the plugin\u2019s administrative pages by IP address or implement a web application firewall rule to block suspicious SQL patterns", "Monitor database logs for unusual query activity that may indicate injection attempts", "Apply any additional security hardening, such as ensuring that database credentials have limited privileges"], "summary": {"action": "Patch Immediately", "impact": "Remote Data Compromise via SQL Injection"}, "threat_synthesis": {"affected_systems": "The issue affects the WPFactory Advanced WooCommerce Product Sales Reporting plugin for WordPress. All installations of version 4.1.3 or earlier are vulnerable. No other vendors or versions are mentioned.", "description_and_impact": "This vulnerability results from improper neutralization of special characters in an SQL command within the WPFactory Advanced WooCommerce Product Sales Reporting plugin. The flaw provides an attacker the ability to perform blind SQL injection via the plugin\u2019s interface, potentially retrieving, modifying, or deleting sensitive database contents. The impact concentrates on confidentiality and integrity of sales and customer data.", "risk_and_exploitability": "Given its classification as a SQL injection flaw (CWE\u201189), the risk of exploitation is significant. While an EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, the absence of mitigations in the code and the convenience of a web\u2011based attack surface increase the likelihood that an attacker could successfully exploit it, especially on exposed sites that have not applied the vendor\u2019s patch."}}}}, "created": "2026-03-25T21:34:24.680913+00:00", "updated": "2026-03-26T11:39:39.409314+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpfactory", "wpfactory$PRODUCT$advanced_woocommerce_product_sales_reporting"]}