How is CVE-2026-42386 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning any remote host that can reach the WordPress installation can send a malicious request. Authentication (not-required): No account or session credentials are needed; the injection is reachable by completely anonymous HTTP requests. Victim interaction (not-required): The attacker does not need any user on the target site to click a link or take any action; exploitation is fully server-side. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or environmental pre-conditions.

What is the impact of CVE-2026-42386?

Reads arbitrary database rows, including order records, customer personally identifiable information, WooCommerce settings, and WordPress user password hashes. Extracts stored session tokens or authentication nonces from the database, enabling potential account takeover as a secondary step. Causes minor availability disruption through heavy or malformed queries that degrade database responsiveness. The scope is changed (S:C in the CVSS vector), meaning the impact can extend beyond the WordPress application itself to other services or data sharing the same database server.

Back to search

CRITICALCVE-2026-42386Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-42386: WordPress Order Delivery Date for WooCommerce plugin <= 4.5.1 - SQL Injection vulnerability

Q: What is CVE-2026-42386?

An unauthenticated SQL injection vulnerability affects the Order Delivery Date for WooCommerce WordPress plugin at version 4.5.1 and earlier. The flaw is reachable over the network with no credentials required and no user interaction needed, making it trivially exploitable by any remote party. Successful exploitation gives an attacker read access to database contents and causes minor service disruption. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment one is released.

Q: Is CVE-2026-42386 patched?

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.

Unauthenticated SQL Injection in Order Delivery Date for WooCommerce <= 4.5.1 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated SQL injection vulnerability affects the Order Delivery Date for WooCommerce WordPress plugin at version 4.5.1 and earlier. The flaw is reachable over the network with no credentials required and no user interaction needed, making it trivially exploitable by any remote party. Successful exploitation gives an attacker read access to database contents and causes minor service disruption. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment one is released.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-42386 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, NVD, and OSV. This coverage extends to custom-built images that bundle the affected plugin, not just upstream base images.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 9.3 Critical and weighting it against each customer organization's compliance policy to determine urgency tier and routing. The finding can be dispatched automatically to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning any remote host that can reach the WordPress installation can send a malicious request.
AuthenticationNot required
No account or session credentials are needed; the injection is reachable by completely anonymous HTTP requests.
Victim interactionNot required
The attacker does not need any user on the target site to click a link or take any action; exploitation is fully server-side.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or environmental pre-conditions.

Blast Radius

Reads arbitrary database rows, including order records, customer personally identifiable information, WooCommerce settings, and WordPress user password hashes.
Extracts stored session tokens or authentication nonces from the database, enabling potential account takeover as a secondary step.
Causes minor availability disruption through heavy or malformed queries that degrade database responsiveness.
The scope is changed (S:C in the CVSS vector), meaning the impact can extend beyond the WordPress application itself to other services or data sharing the same database server.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-42386 is active across scanning pipelines for any image bundling the Order Delivery Date for WooCommerce plugin at version 4.5.1 or earlier. Because no upstream fix exists as of the publication date, HarborGuard monitors the Patchstack advisory and NVD record on every ingest cycle. The moment a patched version is published, a rebuilt image at the fix version becomes available; for customers who opt into auto-remediation, that triggers an automated rebuild, regression test run, and a PR opened against affected workloads. Where auto-remediation is not enabled, the finding will surface in the HarborGuard dashboard as a Critical-severity open item pending upstream resolution. In the interim, compensating controls worth evaluating include network-policy rules that restrict direct database access from the WordPress application pod, web application firewall rules that block SQL metacharacters in the relevant delivery-date parameters, and temporary feature-flag gating of the delivery date selection functionality if business impact allows.

See how HarborGuard automates this

Affected packages

tychesoftwares / Order Delivery Date for WooCommerce
≤ 4.5.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified