CVE-2026-0702: VidShop WordPress Plugin SQLi Vulnerability

CVE-2026-0702 Overview

The VidShop – Shoppable Videos for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the fields parameter in all versions up to, and including, 1.1.4. The vulnerability exists due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Critical Impact

Unauthenticated attackers can exploit this SQL Injection vulnerability to extract sensitive information from the WordPress database, potentially compromising user credentials, customer data, and WooCommerce transaction information.

Affected Products

• VidShop – Shoppable Videos for WooCommerce plugin versions up to and including 1.1.4
• WordPress installations running vulnerable VidShop plugin versions
• WooCommerce stores utilizing VidShop for video shopping functionality

Discovery Timeline

• 2026-01-28 - CVE CVE-2026-0702 published to NVD
• 2026-01-29 - Last updated in NVD database

Technical Details for CVE-2026-0702

Vulnerability Analysis

This SQL Injection vulnerability (CWE-89) resides in the VidShop plugin's REST API implementation. The flaw specifically affects how the plugin processes the fields parameter without proper sanitization or parameterized queries. Time-based SQL Injection attacks allow attackers to infer database information by measuring response delays when injecting conditional time-delay SQL statements.

The vulnerable code paths have been identified in the plugin's REST API controller and query builder components. The Videos Controller handles incoming API requests, while the Query Builder constructs database queries. The lack of proper input validation at these points allows malicious SQL to be incorporated into database operations.

Root Cause

The root cause of this vulnerability is the failure to properly sanitize user-supplied input before incorporating it into SQL queries. The fields parameter is directly concatenated or improperly escaped when building database queries, rather than using WordPress's prepared statement functions like $wpdb->prepare(). This classic SQL Injection pattern allows attackers to manipulate query logic by injecting SQL syntax through the vulnerable parameter.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker can craft malicious HTTP requests to the plugin's REST API endpoints, injecting SQL payloads through the fields parameter. The time-based nature of this SQL Injection means attackers use conditional delays (e.g., SLEEP() or BENCHMARK() functions in MySQL) to extract data character-by-character by measuring response times.

The attack flow typically involves:

1. Identifying the vulnerable REST API endpoint
2. Crafting time-based SQL injection payloads in the fields parameter
3. Measuring response delays to infer true/false conditions
4. Systematically extracting database contents including usernames, password hashes, and sensitive WooCommerce data

Detection Methods for CVE-2026-0702

Indicators of Compromise

• Unusual or lengthy response times from WordPress REST API endpoints related to VidShop plugin
• HTTP requests containing SQL keywords (SLEEP, BENCHMARK, IF, CASE, WHEN) in the fields parameter
• Multiple sequential requests to /wp-json/vidshop/ endpoints with varying payloads
• Database query logs showing unexpected time-delay functions or conditional statements

Detection Strategies

• Monitor web application firewall (WAF) logs for SQL injection patterns targeting the fields parameter
• Implement anomaly detection for REST API response times exceeding normal thresholds
• Deploy SentinelOne Singularity to detect and block SQL injection attack patterns at the endpoint level
• Review WordPress access logs for suspicious requests to VidShop plugin endpoints

Monitoring Recommendations

• Enable detailed query logging in WordPress to identify anomalous SQL patterns
• Configure alerting for requests containing common SQL injection characters and keywords
• Monitor for data exfiltration attempts following potential SQL injection activity
• Implement rate limiting on REST API endpoints to slow down automated exploitation attempts

How to Mitigate CVE-2026-0702

Immediate Actions Required

• Update the VidShop – Shoppable Videos for WooCommerce plugin to a version newer than 1.1.4 immediately
• If immediate update is not possible, temporarily disable the VidShop plugin until patching is complete
• Review WordPress and database logs for evidence of exploitation attempts
• Consider implementing a Web Application Firewall (WAF) rule to block suspicious requests to VidShop endpoints

Patch Information

A security patch has been released to address this vulnerability. The fix is available in WordPress Changeset 3441106. Site administrators should update through the WordPress plugin update mechanism or manually download the patched version from the WordPress plugin repository. For detailed vulnerability information, refer to the Wordfence Vulnerability Report.

Workarounds

• Disable the VidShop plugin entirely if an update cannot be applied immediately
• Implement WAF rules to filter requests containing SQL injection patterns in the fields parameter
• Restrict access to REST API endpoints by requiring authentication or IP whitelisting
• Use a security plugin like Wordfence to add additional SQL injection protection layers

# Configuration example: Restrict access to VidShop REST API via .htaccess
# Add to WordPress root .htaccess file

<IfModule mod_rewrite.c>
RewriteEngine On
# Block requests with common SQL injection patterns to VidShop endpoints
RewriteCond %{REQUEST_URI} ^/wp-json/vidshop/ [NC]
RewriteCond %{QUERY_STRING} (sleep|benchmark|waitfor|delay)\s*\( [NC,OR]
RewriteCond %{QUERY_STRING} (union|select|insert|update|delete|drop)\s+ [NC]
RewriteRule .* - [F,L]
</IfModule>