YITH WooCommerce Product Add-Ons Blind SQLi (CVE-2026-42383)

/HIGH /CVSS 7.6/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitysql-injectioncwe-89
YITH WooCommerce Product Add-Ons Blind SQLi (CVE-2026-42383)

The National Vulnerability Database has disclosed CVE-2026-42383, a high-severity Blind SQL Injection vulnerability impacting YITH WooCommerce Product Add-Ons. This flaw, rated 7.6 CVSS (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L), allows attackers with high privileges to execute arbitrary SQL commands.

The vulnerability is present in versions up to and including 4.29.0 of the YITH WooCommerce Product Add-Ons plugin. An attacker can exploit this to extract sensitive data from the database, potentially leading to full compromise of the e-commerce platform and its customer information. The ‘high privileges required’ caveat shouldn’t lull anyone into complacency; compromised admin accounts are a common entry point, and this vulnerability then provides lateral movement and data exfiltration capabilities.

Defenders using this plugin must prioritize patching. A SQL injection of this nature, especially blind, is a stealthy vector for data theft. Attackers will leverage this to exfiltrate customer data, payment information, or internal business logic, which can then be sold or used for further attacks. The CISO’s focus here needs to be on immediate remediation and a thorough audit of any systems running the affected plugin.

What This Means For You

  • If your organization uses YITH WooCommerce Product Add-Ons, immediately verify your version. Patch to a remediated version beyond 4.29.0 to mitigate CVE-2026-42383. Post-patch, audit your database logs for any suspicious queries or data exfiltration attempts prior to applying the fix, as this blind SQLi could have been exploited without immediate detection.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component: Web Shell Persistence T1189 Drive-by Compromise Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-42383 - YITH WooCommerce Product Add-Ons Blind SQLi

Sigma YAML — free preview 
title: CVE-2026-42383 - YITH WooCommerce Product Add-Ons Blind SQLi
id: scw-2026-05-20-ai-1
status: experimental
level: high
description: |
  This rule detects attempts to exploit CVE-2026-42383 in the YITH WooCommerce Product Add-Ons plugin. It specifically looks for requests to 'admin-ajax.php' with the 'yith_load_product_options' action, containing parameters indicative of SQL injection attempts like 'product_id' and 'addon_data', along with common SQL keywords and functions used in blind SQLi payloads (e.g., UNION, SELECT, FROM, information_schema, @@version, SLEEP, BENCHMARK).
author: SCW Feed Engine (AI-generated)
date: 2026-05-20
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42383/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-admin/admin-ajax.php'
      cs-uri-query|contains:
          - 'action=yith_load_product_options'
      cs-uri-query|contains:
          - 'product_id='
      cs-uri-query|contains:
          - 'addon_data='
      cs-uri-query|contains:
          - 'UNION'
      cs-uri-query|contains:
          - 'SELECT'
      cs-uri-query|contains:
          - 'FROM'
      cs-uri-query|contains:
          - 'information_schema'
      cs-uri-query|contains:
          - '@@version'
      cs-uri-query|contains:
          - 'SLEEP('
      cs-uri-query|contains:
          - 'BENCHMARK('
      condition: cs-uri AND cs-uri-query
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42383 Vulnerability CVE-2026-42383

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 20, 2026 at 16:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma