– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-0702:
The VidShop for WooCommerce plugin contains an unauthenticated time-based SQL injection vulnerability in its REST API endpoint. Attackers can inject malicious SQL payloads via the ‘fields’ parameter, allowing data extraction from the WordPress database. This vulnerability affects all plugin versions up to and including 1.1.4, with a CVSS score of 7.5.

Root Cause:
The vulnerability originates in the get_items() method of the Videos_Controller class at vidshop-for-woocommerce/includes/rest-api/v1/class-videos-controller.php. The ‘fields’ parameter from user input passes directly into the select() method without validation. The Query_Builder class at vidshop-for-woocommerce/includes/utils/class-query-builder.php then incorporates this unsanitized input into SQL queries. The plugin fails to use prepared statements for date range parameters in multiple model methods, including get_total_likes() in class-video-event-model.php and get_total_views() in class-video-product-stats-model.php.

Exploitation:
Attackers send GET requests to the WordPress REST API endpoint /wp-json/vidshop/v1/videos with a malicious ‘fields’ parameter. The payload uses SQL time delays like SLEEP(5) to extract database information through blind injection. Example payload: fields=id,(SELECT+1+FROM+dual+WHERE+SLEEP(5)). The attacker can enumerate database structure and extract sensitive data including user credentials, plugin data, and WooCommerce information.

Patch Analysis:
The patch introduces multiple security layers. Version 1.1.5 adds a sanitize_fields_param() method that implements whitelist validation against allowed field names. The get_allowed_fields() method defines acceptable column names. The Query_Builder class receives a new sanitize_columns() method with regex validation for column names. All date range queries now use $wpdb->prepare() with prepared statements. The video_id parameters receive absint() sanitization. The patch also adds proper sanitization for the ‘ids’ parameter and implements prepared statements for ORDER BY FIELD() clauses.

Impact:
Successful exploitation enables complete database compromise. Attackers can extract WordPress user credentials, WooCommerce customer data, payment information, and plugin-specific video analytics. The time-based nature allows attackers to bypass traditional error-based detection. Database extraction can lead to credential stuffing attacks, identity theft, and further system compromise through password hash cracking or session hijacking.