Plattform
wordpress
Komponente
products-rearrange-woocommerce
Behoben in
1.2.3
CVE-2026-31920 identifies a critical SQL Injection vulnerability within the Product Rearrange for WooCommerce plugin. This flaw allows attackers to potentially extract sensitive data from the database through blind SQL injection techniques. The vulnerability impacts versions of the plugin up to 1.2.2. A patch is expected from the vendor.
The SQL Injection vulnerability in Product Rearrange for WooCommerce poses a significant risk to WordPress sites utilizing the plugin. An attacker could exploit this flaw to bypass authentication and gain unauthorized access to the database. This could lead to the exfiltration of sensitive customer data, including usernames, passwords, order details, and potentially even financial information. The blind nature of the injection means the attacker may need to perform multiple queries to extract data, but the potential impact remains severe. Exploitation could also lead to data modification or deletion, further compromising the integrity of the website and its data.
CVE-2026-31920 was publicly disclosed on 2026-03-25. The vulnerability's severity is high due to the potential for data exfiltration and unauthorized access. No public proof-of-concept (PoC) code has been released at the time of writing, but the nature of SQL injection vulnerabilities makes it likely that one will emerge. It is not currently listed on the CISA KEV catalog.
Websites using the Product Rearrange for WooCommerce plugin, particularly those running older, unpatched versions (n/a through 1.2.2), are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r "product_rearrange_woocommerce" /var/www/html/wp-content/plugins/
wp plugin list | grep product_rearrange_woocommerce• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/product-rearrange-woocommerce/ | grep -i 'product-rearrange-woocommerce'disclosure
Exploit-Status
EPSS
0.04% (12% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2026-31920 is to upgrade to the patched version of Product Rearrange for WooCommerce as soon as it becomes available. Until the patch is applied, implement temporary workarounds. These include deploying a Web Application Firewall (WAF) with rules to detect and block SQL injection attempts targeting the plugin's endpoints. Additionally, carefully review and strengthen input validation routines within the plugin's code, if possible, to prevent malicious SQL queries from being constructed. Monitor WordPress error logs for suspicious SQL queries and unusual database activity.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Schwachstelle eingehend und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihrer Organisation um. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-31920 is a critical SQL Injection vulnerability affecting Product Rearrange for WooCommerce versions up to 1.2.2, allowing attackers to potentially extract data from the database.
If you are using Product Rearrange for WooCommerce versions prior to the patched version (currently unknown), you are potentially affected by this vulnerability. Check your plugin version immediately.
Upgrade to the latest version of Product Rearrange for WooCommerce as soon as a patch is released. Until then, disable the plugin or implement input validation and WAF rules.
While no active exploitation has been confirmed, the vulnerability's severity and the nature of blind SQL injection suggest it is a high-priority target for attackers.
Refer to the official Product Rearrange for WooCommerce website or the WooCommerce plugin repository for updates and security advisories related to CVE-2026-31920.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.