CVE-2026-0678

Name of the Vulnerable Software and Affected Versions Flat Shipping Rate by City for WooCommerce plugin for WordPress versions up to and including 1.0.3

Description The software is susceptible to a time-based SQL Injection issue through the cities parameter. Insufficient input sanitization and inadequate SQL query preparation allow authenticated attackers with Shop Manager-level access or higher to inject additional SQL queries into existing database queries. This can potentially lead to the extraction of sensitive information from the database.

Recommendations Versions prior to and including 1.0.3 should be updated to a newer, secure version if available. As a temporary workaround, restrict access to the cities parameter.