📧 info@ciso.sa | 📱 +966550939344 | Riyadh, Kingdom of Saudi Arabia
About FAQ Contact Us Terms of Service Privacy Policy 🌐 العربية
🔐

Welcome — Sign in or create an account for full access.

🔑 Sign In ✨ Register
🌐 العربية Sign In Create Account
🔧 Scheduled Maintenance — Saturday 2:00-4:00 AM AST. Some features may be temporarily unavailable.    ●   
💎
Pro Plan 50% Off Unlock all AI features, unlimited reports, and priority support. Upgrade
Search Center
ESC to close
navigate open Ctrl+K search
CISO Consulting
Global general Technology and Artificial Intelligence MEDIUM 1h Global general Technology and Artificial Intelligence HIGH 2h Global vulnerability Higher Education CRITICAL 11h Global data_breach Government HIGH 12h Global supply_chain Software Development and Open Source Communities CRITICAL 12h Global malware Software Development CRITICAL 12h Global phishing Multiple Sectors HIGH 12h Global vulnerability Web Applications CRITICAL 13h Global apt Critical Infrastructure CRITICAL 13h Global ransomware Multiple sectors CRITICAL 14h Global general Technology and Artificial Intelligence MEDIUM 1h Global general Technology and Artificial Intelligence HIGH 2h Global vulnerability Higher Education CRITICAL 11h Global data_breach Government HIGH 12h Global supply_chain Software Development and Open Source Communities CRITICAL 12h Global malware Software Development CRITICAL 12h Global phishing Multiple Sectors HIGH 12h Global vulnerability Web Applications CRITICAL 13h Global apt Critical Infrastructure CRITICAL 13h Global ransomware Multiple sectors CRITICAL 14h Global general Technology and Artificial Intelligence MEDIUM 1h Global general Technology and Artificial Intelligence HIGH 2h Global vulnerability Higher Education CRITICAL 11h Global data_breach Government HIGH 12h Global supply_chain Software Development and Open Source Communities CRITICAL 12h Global malware Software Development CRITICAL 12h Global phishing Multiple Sectors HIGH 12h Global vulnerability Web Applications CRITICAL 13h Global apt Critical Infrastructure CRITICAL 13h Global ransomware Multiple sectors CRITICAL 14h
Vulnerabilities

CVE-2026-0702

High
The VidShop – Shoppable Videos for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the 'fields' parameter in all versions up to, and including, 1.1.4 due to insufficient
CWE-89 — Weakness Type
Published: Jan 28, 2026  ·  Modified: Feb 28, 2026  ·  Source: NVD
CVSS v3
7.5
🔗 NVD Official
📄 Description (English)

The VidShop – Shoppable Videos for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the 'fields' parameter in all versions up to, and including, 1.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

🤖 AI Executive Summary

CVE-2026-0702 is a critical SQL injection vulnerability in the VidShop WordPress plugin affecting versions up to 1.1.4. Unauthenticated attackers can exploit the 'fields' parameter to extract sensitive database information through time-based SQL injection. With a CVSS score of 7.5 and no authentication required, this poses an immediate threat to any WordPress e-commerce deployment using this plugin.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 3, 2026 07:18
🇸🇦 Saudi Arabia Impact Assessment
Saudi e-commerce and retail organizations using WooCommerce with the VidShop plugin are at direct risk. Primary impact sectors include: (1) Retail & E-commerce platforms operating under CITC regulations, (2) Banking sector if integrated with payment gateways (SAMA oversight), (3) Government e-procurement portals (NCA jurisdiction), (4) Telecom companies (STC, Mobily) offering digital services. Attackers can extract customer PII, payment card data, order information, and administrative credentials, leading to data breach compliance violations under Saudi Data Protection Law and SAMA banking regulations.
🏢 Affected Saudi Sectors
Retail & E-commerce Banking & Financial Services Government & Public Sector Telecommunications Healthcare Hospitality & Tourism
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:

1. Identify all WordPress installations using VidShop plugin versions ≤1.1.4 across your infrastructure

2. Disable or deactivate the VidShop plugin immediately if not critical to operations

3. Implement Web Application Firewall (WAF) rules to block SQL injection patterns in 'fields' parameter



PATCHING:

1. Update VidShop plugin to version 1.1.5 or later immediately

2. Verify patch deployment across all WordPress instances

3. Test functionality post-patch in staging environment first



COMPENSATING CONTROLS (if immediate patching not possible):

1. Restrict database user permissions to minimum required privileges

2. Implement database activity monitoring and alerting for suspicious queries

3. Enable WordPress security plugins with SQL injection detection (Wordfence, Sucuri)

4. Apply input validation rules at WAF level for 'fields' parameter



DETECTION RULES:

1. Monitor for time-based SQL injection patterns: SLEEP(), BENCHMARK(), WAITFOR in HTTP requests

2. Alert on unusual database query execution times (>5 seconds)

3. Log all requests containing 'fields' parameter with special characters (', ", --, ;, /*)

4. Implement IDS signatures for WooCommerce SQL injection attempts



VERIFICATION:

1. Conduct vulnerability scan post-patch using OWASP ZAP or Burp Suite

2. Review database access logs for exploitation attempts

3. Audit customer data integrity for unauthorized access
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:

1. تحديد جميع تثبيتات WordPress التي تستخدم مكون VidShop بإصدارات ≤1.1.4 عبر البنية التحتية الخاصة بك

2. تعطيل أو إلغاء تنشيط مكون VidShop فوراً إذا لم يكن حرجاً للعمليات

3. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر أنماط حقن SQL في معامل 'fields'



التصحيح:

1. تحديث مكون VidShop إلى الإصدار 1.1.5 أو أحدث فوراً

2. التحقق من نشر التصحيح عبر جميع مثيلات WordPress

3. اختبار الوظائف بعد التصحيح في بيئة التجريب أولاً



الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):

1. تقييد أذونات مستخدم قاعدة البيانات إلى الحد الأدنى المطلوب

2. تنفيذ مراقبة نشاط قاعدة البيانات والتنبيهات للاستعلامات المريبة

3. تفعيل مكونات أمان WordPress مع كشف حقن SQL (Wordfence, Sucuri)

4. تطبيق قواعد التحقق من الإدخال على مستوى WAF لمعامل 'fields'



قواعد الكشف:

1. مراقبة أنماط حقن SQL المستندة إلى الوقت: SLEEP()، BENCHMARK()، WAITFOR في طلبات HTTP

2. التنبيه على أوقات تنفيذ استعلامات قاعدة البيانات غير العادية (>5 ثوان)

3. تسجيل جميع الطلبات التي تحتوي على معامل 'fields' بأحرف خاصة ('، "، --، ;، /*)

4. تنفيذ توقيعات IDS لمحاولات حقن SQL في WooCommerce



التحقق:

1. إجراء فحص الثغرات بعد التصحيح باستخدام OWASP ZAP أو Burp Suite

2. مراجعة سجلات الوصول إلى قاعدة البيانات لمحاولات الاستغلال

3. تدقيق سلامة بيانات العملاء للوصول غير المصرح به
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for supplier relationships ECC 2024 A.12.6.1 - Management of technical vulnerabilities ECC 2024 A.14.2.5 - Addressing information security in supplier agreements
🔵 SAMA CSF
SAMA CSF 2.2 - Vulnerability Management SAMA CSF 3.1 - Access Control and Authentication SAMA CSF 4.2 - Data Protection and Privacy
🟡 ISO 27001:2022
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities ISO 27001:2022 A.14.2.1 - Supplier security requirements ISO 27001:2022 A.8.3.1 - Access control implementation
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security patches and updates PCI DSS 6.5.1 - Injection flaws prevention PCI DSS 11.2 - Vulnerability scanning
📊 CVSS Score
7.5
/ 10.0 — High
📊 CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack VectorN — None / Network
Attack ComplexityL — Low / Local
Privileges RequiredN — None / Network
User InteractionN — None / Network
ScopeU — Unchanged
ConfidentialityH — High
IntegrityN — None / Network
AvailabilityN — None / Network
📋 Quick Facts
Severity High
CVSS Score7.5
CWECWE-89
EPSS0.04%
Exploit No
Patch ✓ Yes
Published 2026-01-28
Source Feed nvd
Views 5
🇸🇦 Saudi Risk Score
8.2
/ 10.0 — Saudi Risk
Priority: CRITICAL
🏷️ Tags
CWE-89
⚡ Actions
🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details
Share this CVE
LinkedIn X / Twitter WhatsApp Telegram

💬 Comments

0
Loading comments
📣 Found this valuable?
Share it with your cybersecurity network
in LinkedIn 𝕏 X / Twitter 💬 WhatsApp ✈ Telegram
🍪 Privacy Preferences
CISO Consulting — Compliant with Saudi Personal Data Protection Law (PDPL)
We use cookies and similar technologies to provide the best experience on our platform. You can choose which types you accept.
🔒
Essential Always On
Required for the website to function properly. Cannot be disabled.
📋 Sessions, CSRF tokens, authentication, language preferences
📊
Analytics
Help us understand how visitors use the site and improve performance.
📋 Page views, session duration, traffic sources, performance metrics
⚙️
Functional
Enable enhanced features like content personalization and preferences.
📋 Dark/light theme, font size, custom dashboards, saved filters
📣
Marketing
Used to deliver content and ads relevant to your interests.
📋 Campaign tracking, retargeting, social media analytics
Privacy Policy →
CISO AI Assistant
Ask anything · Documents · Support
🔐

Introduce Yourself

Enter your details to access the full assistant

Your info is private and never shared
💬
CyberAssist
Online · responds in seconds
5 / 5
🔐 Verify Your Identity

Enter your email to receive a verification code before submitting a support request.

Enter to send · / for commands 0 / 2000
CISO AI · Powered by Anthropic Claude
✦ Quick Survey Help Us Improve CISO Consulting Your feedback shapes the future of our platform — takes less than 2 minutes.
⚠ Please answer this question to continue

How would you rate your overall experience with our platform?

Rate from 1 (poor) to 5 (excellent)

🎉
Thank you!
Your response has been recorded.