An SQL injection vulnerability exists in Craft Commerce's TotalRevenue widget in versions 4.0.0 to 4.10.2 and 5.0.0 to 5.5.4. Unsanitized widget settings are interpolated into SQL expressions, and PDO's multi-statement support allows injection of a malicious serialized PHP object into the queue table. When the queue consumer processes this job, the unserialize() call in yii2-queue triggers a GuzzleHttp FileCookieJar gadget chain, which writes a PHP webshell to the webroot via its destructor. This chain requires only authenticated control panel access (no admin privileges) and three HTTP requests, with queue processing triggered through an unauthenticated endpoint, resulting in arbitrary code execution as the PHP process user. The issue is resolved in Craft Commerce versions 4.10.3 and 5.5.5.

Successful exploitation results in remote code execution on the server running Craft Commerce, allowing an attacker with authenticated control panel access (non-admin) to execute arbitrary commands as the PHP process user. This can lead to full compromise of the affected system. The vulnerability leverages SQL injection combined with PHP object injection and unauthenticated queue processing to achieve this impact.

A fix is available in Craft Commerce versions 4.10.3 and 5.5.5. Users should upgrade to these or later versions to remediate this vulnerability. Until upgraded, restrict control panel access to trusted users only, as the exploit requires authenticated control panel access. Patch status is confirmed fixed in the specified versions.