CVE-2026-52700: WordPress WCMultiShipping plugin <= 3.0.2 - SQL Injection vulnerability
Subscriber SQL Injection in WCMultiShipping <= 3.0.2 versions.
Metrics
- CVSS v3.1
- 8.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
SQL injection vulnerability in the WCMultiShipping WordPress plugin (versions 3.0.2 and below) allows an authenticated attacker with only subscriber-level access to send malicious database queries over the network. No elevated privileges are needed beyond a basic account, making exploitation accessible to any registered user. Successful exploitation gives the attacker read access to sensitive database contents across the WooCommerce site and causes minor availability disruption. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-52700 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against all customer images, including custom-built WordPress or WooCommerce images that bundle the WCMultiShipping plugin. Coverage extends to images at any stage of the CI/CD pipeline and in connected registries.
AvailableHarborGuard scores this CVE at 8.5 HIGH using the published CVSS v3.1 vector and weights that score against each environment's active compliance policy to determine breach-of-threshold status. Triage findings are routed to the team inbox configured for the affected workload within each customer organization.
AvailableNo fix version has been published upstream for CVE-2026-52700. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress service via HTTP/HTTPS.
- AuthenticationRequired
A low-privilege account (subscriber level) is sufficient; no administrative or elevated role is needed.
- Victim interactionNot required
The attacker sends the malicious request directly with no need for any user to click a link or take any action.
- Attack complexityDetail
Exploitation is reliable and condition-free, with no race conditions or special environmental factors required.
Blast Radius
- The attacker can read arbitrary rows from the WordPress and WooCommerce database, including stored order records, customer PII, and hashed credentials.
- Session tokens, API keys, or payment-related metadata stored in the database may be extracted directly.
- The availability impact is rated low, meaning the attacker can cause minor or intermittent disruption to database-dependent site functions.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix has been published for CVE-2026-52700 as of the advisory date, HarborGuard monitors the Patchstack advisory feed on every ingest cycle and will surface a patched-image rebuild the moment a remediated plugin version is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will fire automatically at that point. In the meantime, compensating controls worth considering include network-policy isolation that restricts which external sources can reach the WordPress service, egress filtering to limit outbound database access from the container, and disabling or removing the WCMultiShipping plugin in images where Mondial Relay or Chronopost shipping is not actively in use. Where compliance policy flags this HIGH-severity finding as above threshold, HarborGuard routes the alert to the configured team inbox so the appropriate owners can apply those controls without delay.
- WcMultishipping – Mondial Relay & Chronopost for Wooommerce / WCMultiShipping≤ 3.0.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L