SQL Injection Vulnerability in YITH WooCommerce Product Add-Ons
CVE-2026-42383

7.6HIGH

Key Information:

Vendor: WordPress
Status: Yith WooCommerce Product Add-ons
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-42383?

An SQL Injection vulnerability exists in YITH WooCommerce Product Add-Ons, enabling attackers to execute arbitrary SQL commands. This flaw arises from improper neutralization of special elements within SQL commands, allowing for a Blind SQL Injection attack. Versions from n/a to 4.29.0 are impacted, potentially exposing sensitive data and compromising site integrity. It's critical for users of the plugin to apply the latest security updates and implement best practices to protect their websites against exploitation.

Affected Version(s)

YITH WooCommerce Product Add-Ons <= 4.29.0

References

https://patchstack.com/database/wordpress/plugin/yith-woo...

vdb-entry

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
Apr 27, 2026

Credit

Nguyen Ba Khanh | Patchstack Bug Bounty Program

CVE-2026-42383 Data

JSON

WordPress

What is CVE-2026-42383?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit