Advanced Reporting & Statistics for WooCommerce – Orders, Products & Customers Reporting <= 4.1.3 - Unauthenticated SQL Injection
Description
The Advanced Reporting & Statistics for WooCommerce – Orders, Products & Customers Reporting plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 4.1.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NTechnical Details
<=4.1.3What Changed in the Fix
Changes introduced in v4.1.4
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-24993 ## 1. Vulnerability Summary The **Advanced Reporting & Statistics for WooCommerce** plugin (versions <= 4.1.3) is vulnerable to **Unauthenticated SQL Injection**. The vulnerability resides in the `OrderProcessorHelp` class (found in `helper-class.php`),…
Show full research plan
Exploitation Research Plan - CVE-2026-24993
1. Vulnerability Summary
The Advanced Reporting & Statistics for WooCommerce plugin (versions <= 4.1.3) is vulnerable to **Unauthenticated SQL Injection**. The vulnerability resides in the OrderProcessorHelp class (found in helper-class.php), specifically within the display_orders_by_period function and potentially other AJAX handlers like get_orders. The issue is caused by the direct concatenation of user-supplied parameters (such as customer_id and order_status) into SQL queries without proper sanitization or the use of $wpdb->prepare().
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
display_orders_by_period(orget_orders,get_customers, etc., as they share similar logic). - Vulnerable Parameters:
customer_id(viaget_posted_customer_id()) andorder_status(viaget_posted_order_status()). - Authentication: Unauthenticated. While the source code for 4.1.3 shows
wp_ajax_hooks, the CVE identifies this as unauthenticated, suggesting either missing/misconfigurednoprivhooks or an alternative entry point in version 4.1.3. - Preconditions:
- WooCommerce must be installed and active.
Summary
The Advanced Reporting & Statistics for WooCommerce plugin is vulnerable to SQL injection because it directly concatenates user-supplied parameters into database queries within several AJAX functions. An attacker can exploit this to execute arbitrary SQL commands and extract sensitive information from the database, such as user credentials and configuration details.
Vulnerable Code
// helper-class.php lines 236-253 if ( $customer_id ) { $query .= " AND orders.customer_id = '{$customer_id}' "; } // ... (truncated) $query .= " GROUP BY period ORDER BY period DESC "; $results = $wpdb->get_results( $query ); --- // helper-class.php lines 868-893 if ( ! empty( $_POST['status'] ) ) { $query .= " AND orders.status = '" . $_POST['status'] . "' "; } $data = $wpdb->get_results( $query ); --- // helper-class.php lines 118-149 public function periodFilter( $period ) { global $wpdb; $theperiod = ( ( isset( $period ) && $period =='month' ) ? '%Y-%m' : '%Y' ); if ( OrderUtil::custom_orders_table_usage_is_enabled() ) { $query = " SELECT DISTINCT DATE_FORMAT(date_created_gmt, '{$theperiod}' ) AS period FROM {$wpdb->prefix}wc_orders WHERE type='shop_order' GROUP BY period ORDER BY period DESC "; } // ... $periods = $wpdb->get_results( $query );
Security Fix
@@ -146,7 +148,7 @@ "; } - $periods = $wpdb->get_results( $query ); + $periods = $wpdb->get_results( $wpdb->prepare( $query ) ); if ( $periods ) { return $periods; @@ -253,7 +255,7 @@ $query .= " GROUP BY period ORDER BY period DESC "; - $results = $wpdb->get_results( $query ); + $results = $wpdb->get_results( $wpdb->prepare( $query ) ); $message = ''; @@ -890,7 +892,7 @@ } - $data = $wpdb->get_results( $query ); + $data = $wpdb->get_results( $wpdb->prepare( $query ) ); $response = array( 'customers' => '', @@ -996,7 +998,7 @@ ORDER BY total DESC "; - $data = $wpdb->get_results( $query ); + $data = $wpdb->get_results( $wpdb->prepare( $query ) ); $response = array( 'name' => array(), @@ -1093,7 +1095,7 @@ ORDER BY total DESC "; - $data = $wpdb->get_results( $query ); + $data = $wpdb->get_results( $wpdb->prepare( $query ) ); $response = array( 'name' => array(), @@ -1181,7 +1183,7 @@ ORDER BY total DESC "; - $data = $wpdb->get_results( $query ); + $data = $wpdb->get_results( $wpdb->prepare( $query ) ); $response = array( 'name' => array(), @@ -1311,7 +1313,7 @@ ORDER BY total DESC "; - $data = $wpdb->get_results( $query ); + $data = $wpdb->get_results( $wpdb->prepare( $query ) ); $response = array( 'name' => array(), @@ -1420,7 +1422,7 @@ ORDER BY total DESC "; - $data = $wpdb->get_results( $query ); + $data = $wpdb->get_results( $wpdb->prepare( $query ) ); $response = array( 'name' => array(),
Exploit Outline
The exploit targets the AJAX handlers registered in the OrderProcessorHelp class, such as display_orders_by_period or get_customers. An attacker sends a POST request to /wp-admin/admin-ajax.php with an action parameter matching one of these handlers. By supplying a malicious SQL payload in the customer_id or order_status parameters, the attacker breaks out of the intended SQL query string and appends their own logic. Since these methods utilize $wpdb->get_results() on a raw concatenated string, the injected SQL is executed directly. Although the code contains current_user_can('manage_woocommerce') checks in some functions, the vulnerability is reported as unauthenticated, implying bypasses or specific unprotected paths in versions <= 4.1.3.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.