Security Alert Summary
The Flat Shipping Rate by City for WooCommerce plugin for WordPress has a time-based SQL injection vulnerability that allows authenticated users with Shop Manager-level access or higher to influence a database query via the cities parameter. Exploitation can be used to extract sensitive information from the site’s database.
CVE Details
- CVE ID:
CVE-2026-0678 - Affected component: Flat Shipping Rate by City for WooCommerce plugin for WordPress
- Affected versions: All versions up to, and including, 1.0.3
- Published: January 14, 2026, 6:15:55 AM
- Last modified: January 14, 2026, 4:25:12 PM
- CVSS v3.1: Base Score 4.9 (MEDIUM) —
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N - Authentication / privileges / user interaction: Authentication required. Privileges required: HIGH (the advisory notes attackers need Shop Manager-level access and above). User interaction: NONE.
- Primary impact: Confidentiality: HIGH; Integrity: NONE; Availability: NONE
- CWE / weakness: CWE-89 (SQL Injection)
Technical Details
The vulnerability is a time-based SQL injection in the plugin’s handling of the cities parameter. The CVE description notes insufficient escaping of this user-supplied parameter and a lack of sufficient preparation of the existing SQL query, which allows an authenticated attacker with sufficient privileges to append additional SQL into an existing query. The advisory indicates this can be used to extract sensitive information from the database.
The issue is present in how the plugin constructs and executes SQL related to shipping city handling (see plugin file references to shipping-method-class.php in the public references). No specific REST endpoints or function names beyond the parameter cities are named in the CVE entry.
Impact is limited to data disclosure (confidentiality). The CVE does not indicate integrity or availability impacts, and it requires an authenticated user with elevated privileges rather than anonymous access.
How This Could Impact Your Website
In a typical small-to-medium WordPress site with multiple users, an attacker who has obtained Shop Manager-level credentials — for example, an internal staff member or an external contractor given elevated access — could use the cities parameter to perform time-based SQL injection and extract sensitive database records. Practical consequences include exposure of customer or internal user data (such as email addresses or other stored fields) which can increase the risk of targeted phishing or social engineering against staff or customers.
Example scenario: the site owner has granted a contractor Shop Manager access to manage products and shipping. If that contractor account is compromised or misused, an attacker could leverage this vulnerability to retrieve confidential customer information from the database without altering site content or causing downtime. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (No fixed version is specified in the CVE entry.)
- Review and reduce unnecessary user roles and privileges, especially accounts with Shop Manager-level access and above.
- Enforce strong passwords and enable two-factor authentication for editors, administrators, and Shop Managers.
- Remove unused or unmaintained plugins from your site.
- Monitor site and database access logs for unusual queries or access patterns that could indicate exploitation attempts.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/flat-shipping-rate-by-city-for-woocommerce/tags/1.0.3/shipping-method-class.php#L154
- https://plugins.trac.wordpress.org/browser/flat-shipping-rate-by-city-for-woocommerce/trunk/shipping-method-class.php#L154
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4ada476b-6978-4c38-a5d3-67266a709a3e?source=cve
