Security Alert Summary
The SIBS woocommerce payment gateway plugin for WordPress contains a time-based SQL Injection vulnerability in the referencedId parameter that affects all versions up to and including 2.2.0. An authenticated attacker with Administrator-level access can append additional SQL into existing queries, which may allow extraction of sensitive information from the database.
CVE Details
- CVE ID: CVE-2026-1370
- Affected component: SIBS woocommerce payment gateway plugin for WordPress
- Affected versions: All versions up to, and including, 2.2.0
- Published: February 4, 2026 at 9:15:52 AM UTC
- Last modified: February 4, 2026 at 4:33:44 PM UTC
- CVSS v3.1: Base Score 4.9 (MEDIUM) —
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N - Authentication / privileges / user interaction: Requires an authenticated attacker with Administrator-level privileges (Privileges Required: High). User Interaction: None.
- Primary impact: Confidentiality: High; Integrity: None; Availability: None
- CWE / weakness: CWE-89 (SQL Injection)
Technical Details
The vulnerability is a time-based SQL Injection in the referencedId parameter. According to the CVE description, insufficient escaping of the user-supplied parameter combined with a lack of sufficient preparation (for example, missing parameterized queries or prepared statements) allows an authenticated administrator to append additional SQL queries to an existing query. This can be used to extract sensitive data from the database.
The project reference points to the plugin source (class-sibs-payment-gateway.php) where the vulnerable SQL handling is located (see provided reference). The issue exists because user input is incorporated into an SQL context without adequate escaping or query preparation.
Impact is limited to information disclosure via SQL results; the CVE does not report direct integrity or availability effects.
How This Could Impact Your Website
Consider a site with a site owner, several internal staff users (editors or managers), and an external contractor who has been granted Administrator-level access to manage payments or settings. If an Administrator account is malicious or becomes compromised, the attacker could use the vulnerable referencedId parameter to extract sensitive data from the database. This may include user records or other confidential information stored in accessible tables.
Practical consequences include exposure of internal user email addresses and other personal data that can increase the chance of successful targeted phishing or social engineering campaigns against staff or customers. Because exploitation requires Administrator-level privileges, the primary risk is from compromised or untrusted admin accounts rather than anonymous external actors.
“If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.”
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (If a fixed version is not specified in the CVE entry, check the plugin’s official page or vendor advisory for updates.)
- Review and reduce unnecessary user roles, especially accounts with Administrator-level privileges and contributors with elevated rights.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and database access logs for unusual behavior that could indicate data extraction attempts.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
