[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fuV2TA0e9ReMQNrbWjqCUILEBbTxEb5NmGxrAo57YEyA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-24993","advanced-reporting-statistics-for-woocommerce-orders-products-customers-reporting-unauthenticated-sql-injection","Advanced Reporting & Statistics for WooCommerce – Orders, Products & Customers Reporting \u003C= 4.1.3 - Unauthenticated SQL Injection","The Advanced Reporting & Statistics for WooCommerce – Orders, Products & Customers Reporting plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 4.1.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","webd-woocommerce-advanced-reporting-statistics",null,"\u003C=4.1.3","4.1.4","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-03-18 00:00:00","2026-03-26 20:55:48",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F462606da-34a5-400c-93e8-84c16f71d7e4?source=api-prod",9,[22,23,24,25],"helper-class.php","langs\u002Fwebd-woocommerce-reporting-statistics.pot","readme.txt","webd-woocommerce-reporting-statistics.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-24993\n\n## 1. Vulnerability Summary\nThe **Advanced Reporting & Statistics for WooCommerce** plugin (versions \u003C= 4.1.3) is vulnerable to **Unauthenticated SQL Injection**. The vulnerability resides in the `OrderProcessorHelp` class (found in `helper-class.php`), specifically within the `display_orders_by_period` function and potentially other AJAX handlers like `get_orders`. The issue is caused by the direct concatenation of user-supplied parameters (such as `customer_id` and `order_status`) into SQL queries without proper sanitization or the use of `$wpdb->prepare()`.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `display_orders_by_period` (or `get_orders`, `get_customers`, etc., as they share similar logic).\n- **Vulnerable Parameters**: `customer_id` (via `get_posted_customer_id()`) and `order_status` (via `get_posted_order_status()`).\n- **Authentication**: Unauthenticated. While the source code for 4.1.3 shows `wp_ajax_` hooks, the CVE identifies this as unauthenticated, suggesting either missing\u002Fmisconfigured `nopriv` hooks or an alternative entry point in version 4.1.3.\n- **Preconditions**:\n    - WooCommerce must be installed and active.\n    -","The Advanced Reporting & Statistics for WooCommerce plugin is vulnerable to SQL injection because it directly concatenates user-supplied parameters into database queries within several AJAX functions. An attacker can exploit this to execute arbitrary SQL commands and extract sensitive information from the database, such as user credentials and configuration details.","\u002F\u002F helper-class.php lines 236-253\nif ( $customer_id ) {\n\t$query .= \" AND orders.customer_id = '{$customer_id}' \";\n}\n\n\u002F\u002F ... (truncated)\n\n$query .= \" GROUP BY period ORDER BY period DESC \";\n\n$results = $wpdb->get_results( $query );\n\n---\n\n\u002F\u002F helper-class.php lines 868-893\nif ( ! empty( $_POST['status'] ) ) {\n\t$query .= \" AND orders.status = '\" . $_POST['status'] . \"' \";\n}\n\n$data = $wpdb->get_results( $query );\n\n---\n\n\u002F\u002F helper-class.php lines 118-149\npublic function periodFilter( $period ) {\n\tglobal $wpdb;\n\t$theperiod = ( ( isset( $period ) && $period =='month' ) ? '%Y-%m' : '%Y' );\n\n\tif ( OrderUtil::custom_orders_table_usage_is_enabled() ) {\n\t\t$query = \"\n\t\t\tSELECT DISTINCT DATE_FORMAT(date_created_gmt, '{$theperiod}' ) AS period\n\t\t\tFROM {$wpdb->prefix}wc_orders\n\t\t\tWHERE type='shop_order'\n\t\t\tGROUP BY period\n\t\t\tORDER BY period DESC\n\t\t\";\n\t} \u002F\u002F ...\n\n\t$periods = $wpdb->get_results( $query );","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwebd-woocommerce-advanced-reporting-statistics\u002F4.1.3\u002Fhelper-class.php\t2026-01-14 14:34:08.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwebd-woocommerce-advanced-reporting-statistics\u002F4.1.4\u002Fhelper-class.php\t2026-01-19 16:41:56.000000000 +0000\n@@ -146,7 +148,7 @@\n \t\t\t\";\n \t\t}\n \n-\t\t$periods = $wpdb->get_results( $query );\n+\t\t$periods = $wpdb->get_results( $wpdb->prepare( $query ) );\n \n \t\tif ( $periods ) {\n \t\t\treturn $periods;\n@@ -253,7 +255,7 @@\n \n \t\t\t$query .= \" GROUP BY period ORDER BY period DESC \";\n \n-\t\t\t$results = $wpdb->get_results( $query );\n+\t\t\t$results = $wpdb->get_results( $wpdb->prepare( $query ) );\n \n \t\t\t$message = '';\n \n@@ -890,7 +892,7 @@\n \n \t\t\t}\n \n-\t\t\t$data = $wpdb->get_results( $query );\n+\t\t\t$data = $wpdb->get_results( $wpdb->prepare( $query ) );\n \n \t\t\t$response = array(\n \t\t\t\t'customers' => '',\n@@ -996,7 +998,7 @@\n \t\t\t\tORDER BY total DESC\n \t\t\t\";\n \n-\t\t\t$data = $wpdb->get_results( $query );\n+\t\t\t$data = $wpdb->get_results( $wpdb->prepare( $query ) );\n \n \t\t\t$response = array(\n \t\t\t\t'name'      => array(),\n@@ -1093,7 +1095,7 @@\n \t\t\t\tORDER BY total DESC\n \t\t\t\";\n \n-\t\t\t$data = $wpdb->get_results( $query );\n+\t\t\t$data = $wpdb->get_results( $wpdb->prepare( $query ) );\n \n \t\t\t$response = array(\n \t\t\t\t'name'     => array(),\n@@ -1181,7 +1183,7 @@\n \t\t\t\tORDER BY total DESC\n \t\t\t\";\n \n-\t\t\t$data = $wpdb->get_results( $query );\n+\t\t\t$data = $wpdb->get_results( $wpdb->prepare( $query ) );\n \n \t\t\t$response = array(\n \t\t\t\t'name'    => array(),\n@@ -1311,7 +1313,7 @@\n \t\t\t\tORDER BY total DESC\n \t\t\t\";\n \n-\t\t\t$data = $wpdb->get_results( $query );\n+\t\t\t$data = $wpdb->get_results( $wpdb->prepare( $query ) );\n \n \t\t\t$response = array(\n \t\t\t\t'name'     => array(),\n@@ -1420,7 +1422,7 @@\n \t\t\t\tORDER BY total DESC\n \t\t\t\";\n \n-\t\t\t$data = $wpdb->get_results( $query );\n+\t\t\t$data = $wpdb->get_results( $wpdb->prepare( $query ) );\n \n \t\t\t$response = array(\n \t\t\t\t'name'       => array(),","The exploit targets the AJAX handlers registered in the OrderProcessorHelp class, such as display_orders_by_period or get_customers. An attacker sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with an action parameter matching one of these handlers. By supplying a malicious SQL payload in the customer_id or order_status parameters, the attacker breaks out of the intended SQL query string and appends their own logic. Since these methods utilize $wpdb->get_results() on a raw concatenated string, the injected SQL is executed directly. Although the code contains current_user_can('manage_woocommerce') checks in some functions, the vulnerability is reported as unauthenticated, implying bypasses or specific unprotected paths in versions \u003C= 4.1.3.","gemini-3-flash-preview","2026-04-18 02:28:41","2026-04-18 02:29:28",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","4.1.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwebd-woocommerce-advanced-reporting-statistics\u002Ftags\u002F4.1.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwebd-woocommerce-advanced-reporting-statistics.4.1.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwebd-woocommerce-advanced-reporting-statistics\u002Ftags\u002F4.1.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwebd-woocommerce-advanced-reporting-statistics.4.1.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwebd-woocommerce-advanced-reporting-statistics\u002Ftags"]