CVE-2026-0702 is a vulnerability classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), specifically a time-based SQL Injection flaw in the VidShop – Shoppable Videos for WooCommerce plugin for WordPress. This vulnerability affects all versions up to and including 1.1.4. The root cause is insufficient escaping and lack of proper preparation of the 'fields' parameter within SQL queries. Because the plugin fails to sanitize user-supplied input adequately, an attacker can inject malicious SQL code into the query. The attack vector is remote and does not require authentication or user interaction, making it highly accessible. The time-based nature of the injection allows attackers to infer data by measuring response delays, enabling extraction of sensitive information such as user data, credentials, or other confidential database contents. The vulnerability does not affect integrity or availability directly but poses a significant confidentiality risk. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The CVSS v3.1 score is 7.5, reflecting high severity due to ease of exploitation over the network and the potential for significant data leakage.

The primary impact of CVE-2026-0702 is unauthorized disclosure of sensitive information stored in the WordPress site's database. Attackers exploiting this vulnerability can extract confidential data such as customer information, payment details, or administrative credentials, which can lead to identity theft, financial fraud, or further compromise of the affected system. Since the vulnerability requires no authentication or user interaction, it can be exploited by any remote attacker scanning for vulnerable sites. This increases the attack surface significantly, especially for e-commerce sites relying on WooCommerce and the VidShop plugin. The breach of confidentiality can damage organizational reputation, lead to regulatory penalties (e.g., GDPR), and cause operational disruptions if attackers leverage stolen data for further attacks. Although the vulnerability does not directly affect data integrity or availability, the indirect consequences of data leakage can be severe. Organizations worldwide using this plugin are at risk, particularly those with large customer bases or sensitive transactional data.

1. Monitor for official patches or updates from the wpcreatix vendor and apply them immediately once available. 2. Until a patch is released, implement a Web Application Firewall (WAF) with specific rules to detect and block SQL Injection attempts targeting the 'fields' parameter or related endpoints. 3. Restrict access to the plugin's endpoints by IP whitelisting or authentication where feasible to reduce exposure. 4. Conduct a thorough audit of logs to detect any suspicious or anomalous queries that may indicate attempted exploitation. 5. Employ database user permissions with least privilege, ensuring the WordPress database user has minimal rights to limit data exposure in case of compromise. 6. Consider temporarily disabling or removing the VidShop plugin if immediate patching is not possible and the risk is unacceptable. 7. Educate development and security teams about secure coding practices, particularly input validation and parameterized queries, to prevent similar vulnerabilities in custom plugins or themes.