CVE-2026-0702
📋 TL;DR
The VidShop plugin for WordPress is vulnerable to SQL injection via the 'fields' parameter, allowing unauthenticated attackers to execute arbitrary SQL queries. This can lead to extraction of sensitive database information like user credentials, payment details, or other private data. All WordPress sites using VidShop plugin versions up to 1.1.4 are affected.
💻 Affected Systems
- VidShop – Shoppable Videos for WooCommerce WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including administrator credentials, customer payment information, and full site takeover
Likely Case
Extraction of sensitive user data, plugin configuration secrets, and potential privilege escalation
If Mitigated
Limited information disclosure if database permissions are properly restricted and monitoring is in place
🎯 Exploit Status
Time-based SQL injection requires no authentication and can be automated
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.5
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3441106/
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find VidShop – Shoppable Videos for WooCommerce
4. Click 'Update Now' if available
5. If not available, download version 1.1.5+ from WordPress repository
6. Deactivate old version, upload new version, activate
🔧 Temporary Workarounds
Disable VidShop Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate vidshop-for-woocommerce
Web Application Firewall Rule
allBlock requests containing SQL injection patterns targeting the 'fields' parameter
🧯 If You Can't Patch
- Implement strict input validation for the 'fields' parameter at the application level
- Restrict database user permissions to SELECT only for the VidShop plugin database user
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → VidShop version. If version is 1.1.4 or lower, you are vulnerable.Check Version:
wp plugin get vidshop-for-woocommerce --field=versionVerify Fix Applied:
Verify plugin version is 1.1.5 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in WordPress debug logs
- Multiple requests to /wp-json/vidshop/v1/videos with varying 'fields' parameters
- Long response times from the videos endpoint indicating time-based injection
Network Indicators:
- POST/GET requests to /wp-json/vidshop/v1/videos with SQL keywords in parameters
- Unusual traffic patterns to the WordPress REST API
SIEM Query:
source="wordpress.log" AND ("vidshop" OR "/wp-json/vidshop") AND ("SQL" OR "database" OR "fields=")🔗 References
- https://plugins.trac.wordpress.org/browser/vidshop-for-woocommerce/trunk/includes/rest-api/v1/class-videos-controller.php#L224
- https://plugins.trac.wordpress.org/browser/vidshop-for-woocommerce/trunk/includes/rest-api/v1/class-videos-controller.php#L297
- https://plugins.trac.wordpress.org/browser/vidshop-for-woocommerce/trunk/includes/utils/class-query-builder.php#L778
- https://plugins.trac.wordpress.org/changeset/3441106/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a61d8d2a-742f-45f1-9146-f733b80ef195?source=cve
