CVE-2026-0678 is a SQL Injection vulnerability classified under CWE-89 that affects the Flat Shipping Rate by City for WooCommerce plugin for WordPress, specifically versions up to and including 1.0.3. The vulnerability stems from insufficient escaping and lack of proper preparation of the 'cities' parameter in SQL queries. This flaw allows authenticated users with Shop Manager-level access or higher to inject additional SQL commands into existing queries. The injection is time-based, meaning attackers can infer data by measuring response delays, enabling extraction of sensitive information from the backend database without direct error messages. The attack vector requires network access but no user interaction beyond authentication. The CVSS v3.1 score is 4.9 (medium), reflecting the need for elevated privileges but the high impact on confidentiality. The vulnerability does not affect integrity or availability directly. No patches were linked at the time of disclosure, and no known exploits in the wild have been reported. The vulnerability highlights the importance of proper input sanitization and use of parameterized queries in WordPress plugins handling user-supplied data, especially those managing e-commerce shipping configurations.

The primary impact of this vulnerability is the potential unauthorized disclosure of sensitive information stored in the WooCommerce database, such as customer data, order details, or configuration settings. Since the attack requires Shop Manager-level access, the threat is limited to insiders or compromised accounts with elevated privileges, reducing the risk of widespread exploitation by external attackers. However, if an attacker gains such access, they can leverage this vulnerability to escalate data breaches, potentially exposing personally identifiable information (PII) or business-critical data. This can lead to reputational damage, regulatory penalties (e.g., GDPR violations), and financial losses. The vulnerability does not directly affect data integrity or system availability, but the confidentiality breach alone can have significant consequences for e-commerce businesses relying on WooCommerce. Organizations with large WooCommerce deployments using this plugin are at higher risk, especially if user role management is lax or if Shop Manager accounts are compromised.

1. Immediately restrict Shop Manager and higher privileges to trusted personnel only and audit existing accounts for suspicious activity. 2. Monitor and log database queries related to the 'cities' parameter to detect anomalous or time-based injection patterns. 3. Apply strict input validation and sanitization on the 'cities' parameter, ensuring only expected city names or codes are accepted. 4. Implement parameterized queries or prepared statements in the plugin code to prevent SQL injection. 5. If a patch becomes available from the vendor, promptly update the plugin to the fixed version. 6. Consider temporarily disabling or replacing the plugin with alternative shipping rate solutions if patching is delayed. 7. Conduct regular security assessments and penetration testing on WooCommerce environments to identify privilege escalation and injection vulnerabilities. 8. Enforce multi-factor authentication (MFA) for all users with Shop Manager or higher roles to reduce risk of account compromise. 9. Backup databases regularly and ensure backups are secure to enable recovery in case of data breaches.