External risk intelligence

Cargo Shipping Location for WooCommerce Blind SQL Injection Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-54815

A critical SQL injection vulnerability in the Cargo Shipping Location for WooCommerce plugin allows attackers to access sensitive database information. The vulnerability is reachable via the network and can be exploited by unauthenticated attackers, potentially leading to unauthorized data exposure on e-commerce sites.

SQL Injection

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

The vulnerability affects a WooCommerce plugin, which is specifically designed to function as an internet-facing web application component. As an e-commerce plugin, it is typically deployed on public-facing websites to handle customer interactions, making the attack surface readily accessible to users over the internet.

Horizon Alert

Summary of the vulnerability and why it matters

A critical SQL injection vulnerability has been identified in a WooCommerce plugin that handles shipping location data. This flaw could allow unauthenticated attackers to access sensitive information from the system. The primary concern is to confirm if this plugin is in use and assess potential exposure.

  • Allows unauthenticated data access.
  • Affects e-commerce sites using shipping plugins.
  • Confirm relevance and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted data over the network to a vulnerable installation of the Cargo Shipping Location for WooCommerce plugin. This could allow them to manipulate database queries, potentially leading to the disclosure of sensitive information or unauthorized system actions.

  • Entry Condition: Publicly accessible web server.
  • Trigger Point: Input fields within the plugin.
  • Resulting Risk: Sensitive data exposure.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to inject malicious SQL commands into the Cargo Shipping Location for WooCommerce plugin. When this plugin is used in conjunction with a WooCommerce site, an attacker could potentially access, modify, or delete sensitive data stored in the site's database.

  • Database information.
  • Malicious SQL commands sent to the server.
  • Compromise of site data.

Operational Fix

Recommended remediation, mitigation, and detection steps

This SQL injection vulnerability in the Cargo Shipping Location for WooCommerce plugin impacts public-facing e-commerce sites. The primary responsibility for addressing this falls to the application owner or the web development team managing the WooCommerce site. The first practical step is to identify all instances of the plugin, confirm its business criticality and internet reachability, and then engage with the appropriate team to plan remediation, likely involving coordination with the vendor.

  • Application owners must confirm plugin instances.
  • Verify plugin exposure and business criticality.
  • Plan remediation with vendor coordination.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-54815 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This SQL injection vulnerability could allow an attacker to bypass security controls and impact data integrity, making it relevant for PCI scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the Cargo Shipping Location for WooCommerce plugin?

This software is an extension for WooCommerce, the e-commerce platform built on WordPress. It helps site administrators manage and display specific shipping location data to customers during the checkout or ordering process. It functions as a server-side component that interacts with the site's database to retrieve and present geographic shipping information.

What does CVE-2026-54815 mean by SQL injection?

This vulnerability is classified as Improper Neutralization of Special Elements used in an SQL Command, or CWE-89. It means the plugin fails to properly filter or sanitize user-supplied data before incorporating it into database queries. An attacker can leverage this flaw to inject their own malicious SQL commands, potentially tricking the database into revealing information it should keep private.

How can an attacker trigger this vulnerability?

An attacker triggers this by sending specially crafted input to the plugin through the network, typically via input fields exposed by the software. It is important to note that this does not require a legitimate user account or administrative access to the site. If the plugin's code does not properly handle these inputs, the database will execute the attacker's unintended commands.

Is my site at risk if I use this plugin?

According to Halo Surface Signal, this plugin is designed for e-commerce, meaning it is almost certainly deployed on public-facing web servers to interact with customers. Because the plugin is inherently internet-facing, it provides a direct path for remote attackers to reach the vulnerability without needing to bypass internal network defenses.

What should I do if I run this software?

The first step is to locate all installations of the Cargo Shipping Location for WooCommerce plugin within your environment. Once identified, verify if the site is public-facing and assess the sensitivity of the data stored in the connected database. Coordinate with your web development team to monitor for vendor updates and prepare to apply patches or alternatives to secure your site.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished