Platform
wordpress
Component
webd-woocommerce-advanced-reporting-statistics
Fixed in
4.1.4
CVE-2026-24993 describes a critical SQL Injection vulnerability discovered in Advanced WooCommerce Product Sales Reporting. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 through 4.1.3, and a patch is available in version 4.1.4.
The SQL Injection vulnerability in Advanced WooCommerce Product Sales Reporting allows an attacker to bypass security measures and directly interact with the underlying database. Because it's a blind SQL injection, the attacker doesn't receive immediate feedback from the database, requiring them to infer information through trial and error. Successful exploitation could lead to the extraction of sensitive customer data, order information, financial details, and potentially even administrative credentials. Depending on the database schema and permissions, an attacker might also be able to modify or delete data, leading to significant disruption of the WooCommerce store's operations. This vulnerability shares characteristics with other SQL injection attacks, where attackers leverage malformed SQL queries to gain unauthorized access.
CVE-2026-24993 was publicly disclosed on 2026-03-25. The vulnerability's severity is considered critical due to the potential for data exfiltration and system compromise. As of this writing, there are no publicly available exploits, but the blind SQL injection nature of the vulnerability makes it likely that Proof-of-Concept (PoC) code will emerge. Monitor CISA and NVD for updates and potential inclusion in the KEV catalog.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-24993 is to immediately upgrade Advanced WooCommerce Product Sales Reporting to version 4.1.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL injection attempts targeting the vulnerable endpoint. Additionally, review and restrict database user permissions to minimize the potential impact of a successful attack. Monitor web server access logs for suspicious SQL queries or unusual database activity.
Update to version 4.1.4, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24993 is a critical SQL Injection vulnerability affecting Advanced WooCommerce Product Sales Reporting versions 0.0.0–4.1.3, allowing attackers to potentially extract sensitive data.
If you are using Advanced WooCommerce Product Sales Reporting versions 0.0.0 through 4.1.3, you are vulnerable to this SQL Injection flaw.
Upgrade to version 4.1.4 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation if immediate upgrade is not possible.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the WPFactory website and the WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.