How is CVE-2026-54815 exploited?

Network reachability (required): The attacker must be able to reach the WordPress service over the network; no local or physical access is needed. Authentication (not-required): No account or session credential of any kind is needed to trigger the injection point. Victim interaction (not-required): The attack is fully server-side and requires no action from any user or administrator. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, memory layout dependencies, or environmental factors must be satisfied.

What is the impact of CVE-2026-54815?

Reads arbitrary rows from the WordPress and WooCommerce database, including stored customer records, order histories, and account credentials. Because the CVSS scope is changed (S:C), the confidentiality impact extends beyond the plugin's own data boundary to any table the database user can access. Causes limited disruption to database availability, consistent with the Low availability impact token in the CVSS vector. An attacker using blind SQL injection techniques can systematically extract data over repeated requests without triggering obvious application errors.

Back to search

CRITICALCVE-2026-54815Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-54815: WordPress Cargo Shipping Location for WooCommerce plugin <= 5.6 - SQL Injection vulnerability

Q: What is CVE-2026-54815?

A SQL injection vulnerability exists in the Cargo Shipping Location for WooCommerce WordPress plugin at version 5.6 and below. The flaw is reachable over the network without any authentication, derived from the CVSS vector showing AV:N and PR:N. Successful exploitation allows blind SQL injection, giving an attacker the ability to read confidential data from the underlying database, with a scope change that means impact extends beyond the plugin itself to the broader WordPress and WooCommerce database. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-54815 patched?

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory and relevant feeds on every ingest cycle. The moment an upstream patch is released, a patched-image rebuild at the fix version becomes available, and customers with auto-remediation enabled will automatically receive a rebuilt image, a regression test run, and a PR opened against affected workloads.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cargo RD Cargo Shipping Location for WooCommerce allows Blind SQL Injection. This issue affects Cargo Shipping Location for WooCommerce: from n/a through 5.6.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A SQL injection vulnerability exists in the Cargo Shipping Location for WooCommerce WordPress plugin at version 5.6 and below. The flaw is reachable over the network without any authentication, derived from the CVSS vector showing AV:N and PR:N. Successful exploitation allows blind SQL injection, giving an attacker the ability to read confidential data from the underlying database, with a scope change that means impact extends beyond the plugin itself to the broader WordPress and WooCommerce database. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-54815 is available across every HarborGuard environment. The CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built WordPress images that bundle this plugin.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS 9.3 Critical rating and weighting it against each customer environment's compliance policy to surface appropriate urgency. Triage routing directs findings to the team inbox or ticketing integration configured within each customer organization.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory and relevant feeds on every ingest cycle. The moment an upstream patch is released, a patched-image rebuild at the fix version becomes available, and customers with auto-remediation enabled will automatically receive a rebuilt image, a regression test run, and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the WordPress service over the network; no local or physical access is needed.
AuthenticationNot required
No account or session credential of any kind is needed to trigger the injection point.
Victim interactionNot required
The attack is fully server-side and requires no action from any user or administrator.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, memory layout dependencies, or environmental factors must be satisfied.

Blast Radius

Reads arbitrary rows from the WordPress and WooCommerce database, including stored customer records, order histories, and account credentials.
Because the CVSS scope is changed (S:C), the confidentiality impact extends beyond the plugin's own data boundary to any table the database user can access.
Causes limited disruption to database availability, consistent with the Low availability impact token in the CVSS vector.
An attacker using blind SQL injection techniques can systematically extract data over repeated requests without triggering obvious application errors.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists as of the publication date, HarborGuard monitors the Patchstack advisory and all relevant upstream feeds on every ingest cycle and will surface a patched-image rebuild automatically the moment a fix version is published. In the interim, compensating controls worth evaluating include network-policy rules that restrict public HTTP access to affected WordPress deployments, web application firewall rules targeting SQL injection payloads on WooCommerce endpoints, and feature-flag or plugin-disablement options within the WordPress admin to deactivate the Cargo Shipping Location plugin until a patch is available. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention as soon as an upstream fix is ingested.

See how HarborGuard automates this

Affected packages

Cargo RD / Cargo Shipping Location for WooCommerce
≤ 5.6

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified