CVE-2026-0678 Overview
CVE-2026-0678 is a time-based SQL injection vulnerability in the Flat Shipping Rate by City for WooCommerce plugin for WordPress. The flaw exists in the cities parameter and affects all versions up to and including 1.0.3. Insufficient escaping of user-supplied input and missing prepared statement usage allow attackers to append additional SQL statements to existing queries. Authenticated users with Shop Manager privileges or higher can exploit the issue to extract sensitive data from the WordPress database. The vulnerability is tracked under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Authenticated Shop Manager accounts can leverage time-based SQL injection to exfiltrate database contents, including customer records and authentication material stored in WordPress tables.
Affected Products
- Flat Shipping Rate by City for WooCommerce plugin for WordPress, versions up to and including 1.0.3
- WordPress sites running WooCommerce with this plugin installed and activated
- Any deployment granting third parties Shop Manager-level access or above
Discovery Timeline
- 2026-01-14 - CVE-2026-0678 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-0678
Vulnerability Analysis
The vulnerability resides in the plugin's shipping method class, specifically around line 154 of shipping-method-class.php. The cities parameter received from the administrator interface is interpolated into a database query without proper escaping or parameter binding. Because WordPress's $wpdb API exposes both raw query() and safe prepare() methods, code paths that build SQL strings directly from request input bypass the database layer's safety guarantees. An authenticated attacker can inject syntactically valid SQL fragments into the cities value to alter the executed query.
The injection is time-based, meaning the attacker infers data by triggering conditional SLEEP() calls and measuring response latency. This technique works even when the application returns no visible output from the query. Successful exploitation enables row-by-row extraction of database contents, including the wp_users table containing password hashes and session tokens.
Root Cause
The root cause is improper neutralization of special characters in the cities request parameter combined with the absence of a prepared statement. The plugin concatenates the attacker-controlled string directly into the SQL query rather than using $wpdb->prepare() with placeholders such as %s or %d.
Attack Vector
Exploitation requires authenticated access at Shop Manager level or above. The attacker submits a crafted value in the cities parameter through the plugin's administrative workflow. The malicious payload terminates the original SQL string, appends a boolean-conditional SLEEP() clause, and forces the database server to delay responses when a guessed condition is true. By iterating over characters in target fields, the attacker reconstructs sensitive values such as user emails, password hashes, and API keys stored in WordPress options.
Verified technical references for the affected code path are available in the WordPress Plugin Code Repository and the Wordfence Vulnerability Analysis.
Detection Methods for CVE-2026-0678
Indicators of Compromise
- Unusually long response times on administrative requests that include the cities parameter, consistent with SLEEP()-based blind injection
- Database process lists showing queries against WooCommerce shipping tables containing concatenated SQL keywords such as UNION, SLEEP, or BENCHMARK
- WordPress audit logs showing Shop Manager accounts performing repeated shipping configuration edits in rapid succession
Detection Strategies
- Inspect HTTP request bodies and query strings to the WordPress admin endpoints for SQL metacharacters in the cities field
- Enable MySQL or MariaDB general query logging on a sample basis and alert on statements referencing the shipping plugin's tables together with timing functions
- Correlate WordPress user activity with database query latency spikes to surface blind injection probing
Monitoring Recommendations
- Forward WordPress access logs and database slow-query logs to a centralized analytics platform for retention and correlation
- Alert on Shop Manager and Administrator role assignments and on plugin configuration changes outside maintenance windows
- Track the plugin version present in wp-content/plugins/flat-shipping-rate-by-city-for-woocommerce/ and flag installations at version 1.0.3 or earlier
How to Mitigate CVE-2026-0678
Immediate Actions Required
- Update the Flat Shipping Rate by City for WooCommerce plugin to a release later than 1.0.3 as soon as the vendor publishes a fixed version
- Audit existing Shop Manager and Administrator accounts and revoke access for users who do not require shipping configuration privileges
- Rotate WordPress administrator passwords, API keys, and any secrets stored in wp_options if exploitation is suspected
Patch Information
At the time of NVD publication on 2026-01-14, the advisory identifies all versions up to and including 1.0.3 as vulnerable. Administrators should monitor the WordPress plugin repository for a patched release and review the Wordfence Vulnerability Analysis for current remediation guidance.
Workarounds
- Deactivate and remove the plugin until a patched version is installed if shipping-by-city functionality is not business critical
- Restrict access to the WordPress admin interface using IP allowlisting or a VPN to limit who can reach the vulnerable parameter
- Deploy a Web Application Firewall rule that blocks SQL metacharacters and timing functions in the cities POST parameter
# Example WAF rule (ModSecurity) blocking SQL keywords in the cities parameter
SecRule ARGS:cities "@rx (?i)(union|select|sleep|benchmark|--|;)" \
"id:1026678,phase:2,deny,status:403,msg:'CVE-2026-0678 SQLi attempt in cities parameter'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
