External risk intelligence

SQL Injection in WooCommerce Order Delivery Date Plugin

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-42386

An unauthenticated SQL injection vulnerability exists in the Order Delivery Date feature of a WooCommerce plugin. This could allow attackers to access or modify sensitive database information if the feature is reachable. It is important to confirm if this plugin is in use to understand potential exposure.

5Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-42386

This vulnerability affects a WooCommerce plugin, which is a public-facing web application component designed to handle customer orders. Because it functions as part of a public web storefront and is reachable by unauthenticated users over the internet, it is inherently exposed as part of the public web surface.

PCI scan relevance

PCI Relevance for CVE-2026-42386

Yes

CVE-2026-42386 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This unauthenticated SQL injection vulnerability allows attackers to manipulate database queries, which can lead to unauthorized access or modification of sensitive data. Such a flaw would likely cause a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in a WooCommerce plugin that handles order delivery dates. This issue could allow unauthenticated attackers to inject malicious SQL code, potentially leading to unauthorized access to sensitive data or disruption of services. The main concern is to confirm if this specific plugin is in use and understand the potential exposure.

  • Unauthenticated code injection in order delivery.
  • Affects public-facing e-commerce operations.
  • Confirm usage and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a specially crafted request to a WooCommerce website. If the website uses a vulnerable version of the Order Delivery Date for WooCommerce plugin, the attacker could manipulate order data to inject malicious SQL commands. This could potentially allow them to access or modify sensitive database information.

  • No authentication required.
  • Triggered by manipulating order delivery date input.
  • Risk of unauthorized database access.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated SQL injection vulnerability in the Order Delivery Date feature of a WooCommerce plugin could allow an attacker to access and potentially modify sensitive database information. This could occur when the plugin's order delivery date functionality is accessed by an unauthenticated user over the network.

  • Database information could be accessed.
  • Unauthenticated network access to the plugin.
  • Potential for data leakage or modification.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This unauthenticated SQL injection in the Order Delivery Date for WooCommerce plugin impacts e-commerce platforms. Responsibility likely falls to the application owners and platform teams managing the WooCommerce instance, with support from security teams for exposure assessment. The immediate priority is to identify all instances of the affected plugin, confirm its reachability and business criticality, and then assign an accountable owner for remediation planning based on the identified risk.

  • Application owners should own this issue.
  • Verify plugin reachability and business criticality.
  • Plan and execute remediation based on risk.

Frequently asked questions

What is the Order Delivery Date for WooCommerce plugin?

This software is an extension for the WooCommerce platform that allows online store owners to add delivery date selection fields to their checkout process. By integrating directly into e-commerce storefronts, it helps manage logistics and order scheduling, making it a functional component of the public-facing shopping experience.

What does SQL injection mean for CVE-2026-42386?

This vulnerability, classified as CWE-89, occurs when software fails to properly sanitize user-provided input before using it in database queries. For this CVE, it means an attacker can submit malicious commands through the plugin's delivery date feature, effectively tricking the database into executing unauthorized instructions that could expose sensitive information.

How is this SQL injection triggered?

The vulnerability is triggered when an attacker sends a specially crafted network request to the plugin's delivery date input fields. Because the plugin does not require authentication to process these inputs, the bug is not triggered by standard customer actions or administrative tasks, but rather by deliberate, malicious manipulation of the data sent to the server.

Do I need to worry about this if my site is public?

Yes. According to Halo Surface Signal, this plugin is part of a public-facing web application that is designed to be reachable by users over the internet. Since the vulnerability allows unauthenticated access, any website using the affected versions of this plugin should consider the risk of unauthorized database interaction as a significant concern.

What is the first step for teams using this plugin?

Your immediate priority is to conduct an inventory to identify all instances where this plugin is currently active. Once identified, evaluate the criticality of those specific storefronts and coordinate with your application owners to plan remediation. Focus on confirming plugin versions and assessing how reachability impacts your specific operational environment.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished