Platform
wordpress
Component
products-rearrange-woocommerce
Fixed in
1.2.3
CVE-2026-31920 describes a critical SQL Injection vulnerability discovered in the Product Rearrange for WooCommerce plugin. This flaw allows attackers to potentially extract sensitive data from the database through blind SQL injection techniques. The vulnerability impacts versions of the plugin from n/a up to and including 1.2.2. A patch is expected to be released by the vendor.
The SQL Injection vulnerability in Product Rearrange for WooCommerce allows an attacker to bypass security measures and directly interact with the underlying database. Because it's a blind SQL injection, the attacker doesn't receive immediate feedback from the database, requiring them to craft queries and infer results based on application behavior. Successful exploitation could lead to unauthorized access to customer data (names, addresses, payment information), order details, and potentially even administrative credentials. The attacker could also modify or delete data, leading to data integrity issues and service disruption. The blast radius extends to any user whose data is stored within the WooCommerce database.
CVE-2026-31920 was publicly disclosed on 2026-03-25. The vulnerability's severity is high due to the potential for data exfiltration and modification. No public proof-of-concept (PoC) code has been released at the time of writing, but the nature of blind SQL injection means that exploitation is feasible for skilled attackers. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (12% percentile)
CVSS Vector
The primary mitigation for CVE-2026-31920 is to upgrade to a patched version of the Product Rearrange for WooCommerce plugin as soon as it becomes available. Until a patch is released, consider temporarily disabling the plugin to prevent exploitation. As a short-term workaround, implement strict input validation and sanitization on all user-supplied data used in SQL queries. Web Application Firewalls (WAFs) configured with rules to detect and block SQL injection attempts can also provide an additional layer of defense. Monitor WooCommerce database logs for suspicious activity.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-31920 is a critical SQL Injection vulnerability affecting Product Rearrange for WooCommerce versions up to 1.2.2, allowing attackers to potentially extract data from the database.
If you are using Product Rearrange for WooCommerce versions prior to the patched version (currently unknown), you are potentially affected by this vulnerability. Check your plugin version immediately.
Upgrade to the latest version of Product Rearrange for WooCommerce as soon as a patch is released. Until then, disable the plugin or implement input validation and WAF rules.
While no active exploitation has been confirmed, the vulnerability's severity and the nature of blind SQL injection suggest it is a high-priority target for attackers.
Refer to the official Product Rearrange for WooCommerce website or the WooCommerce plugin repository for updates and security advisories related to CVE-2026-31920.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.