CVE-2026-22335: WordPress WooCommerce Frontend Manager – Ultimate plugin < 6.7.7 - SQL Injection vulnerability
Subscriber SQL Injection in WooCommerce Frontend Manager – Ultimate < 6.7.7 versions.
Metrics
- CVSS v3.1
- 8.5
- Severity
- HIGH
- Fixed in
- 6.7.7
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a SQL injection vulnerability in the WooCommerce Frontend Manager - Ultimate WordPress plugin, affecting all versions before 6.7.7. An attacker with only a subscriber-level account can reach the vulnerable endpoint over the network, with no victim interaction required, and inject malicious SQL into database queries. Successful exploitation gives the attacker read access to sensitive data stored in the WordPress database and can also partially disrupt service availability. A patched-image rebuild at version 6.7.7 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-22335 is available across every HarborGuard environment - the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against all customer images, including custom-built WordPress or WooCommerce images that bundle this plugin.
AvailableHarborGuard scores this CVE at 8.5 HIGH using the CVSS v3.1 vector and weights the finding against each environment's compliance policy to determine urgency; the resulting alert is routed to the appropriate team inbox within the customer organization based on configured ownership rules.
AvailableA patched-image rebuild at version 6.7.7 becomes available on HarborGuard for any environment found running an affected version of the plugin. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the WordPress/WooCommerce service via HTTP.
- AuthenticationRequired
A low-privilege subscriber-level account is sufficient; the attacker does not need administrative or editor privileges.
- Victim interactionNot required
No victim action is needed; the attacker sends the malicious request directly without involving another user.
- Attack complexityDetail
Exploit complexity is low - no race conditions, special memory layout, or environmental prerequisites are required to inject the payload reliably.
Blast Radius
- Reads confidential data stored in the WordPress database, including user records, order details, and stored session or credential material.
- Scope extends beyond the vulnerable plugin itself (CVSS scope change) meaning injected queries can reach tables owned by other WordPress components or installed plugins.
- Causes partial availability loss, for example slowing or erroring out database queries that other site functions depend on.
How HarborGuard Handles This
Available on HarborGuard: when a container image bundling WooCommerce Frontend Manager - Ultimate below 6.7.7 is detected in a customer registry or CI pipeline, HarborGuard flags the image as HIGH severity and makes a rebuilt image at version 6.7.7 available immediately. For customers who opt into auto-remediation, the platform rebuilds the image, runs regression tests, and opens a pull request against affected workloads - median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the configured team inbox with full CVSS context and remediation steps attached. All environments are re-evaluated automatically on each ingest cycle so any newly pushed images are checked without additional configuration.
Fix available
- WC Lovers. / WooCommerce Frontend Manager – Ultimate< 6.7.7 (from n/a)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L