CVE-2025-14770 in Shipping Rate By Cities Plugin
Summary
by MITRE • 01/14/2026
The Shipping Rate By Cities plugin for WordPress is vulnerable to SQL Injection via the 'city' parameter in all versions up to, and including, 2.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/14/2026
The Shipping Rate By Cities plugin for WordPress presents a critical security vulnerability classified as SQL Injection that affects all versions up to and including 200. This flaw stems from inadequate input validation and sanitization practices within the plugin's codebase, specifically in how it handles the 'city' parameter. The vulnerability manifests when user-supplied data is directly incorporated into SQL queries without proper escaping or parameterization, creating an attack surface that unauthenticated threat actors can exploit to manipulate database operations. The absence of sufficient query preparation mechanisms means that malicious input can seamlessly integrate with existing SQL statements, allowing attackers to craft additional SQL commands that execute within the database context. This vulnerability aligns with CWE-89 which catalogs SQL injection flaws as a fundamental weakness in software applications that permit improper data handling in database queries. The attack vector operates through the plugin's handling of city-based shipping rate calculations, where the 'city' parameter serves as the primary entry point for malicious input. When an attacker supplies crafted SQL syntax within this parameter, the plugin's insufficient input sanitization allows the malicious payload to be executed as part of the database query, potentially exposing sensitive information such as user credentials, personal data, or administrative access details. The operational impact of this vulnerability extends beyond simple data extraction, as it can enable attackers to perform unauthorized database operations including data modification, deletion, or even privilege escalation within the WordPress environment. This type of vulnerability is particularly dangerous in WordPress ecosystems where plugins often have direct database access and may contain administrative functions that could be leveraged for further compromise. The ATT&CK framework categorizes this as a database query injection technique under the broader category of command and control communications, where adversaries manipulate application logic to achieve unauthorized access. Organizations running affected versions of this plugin face significant risk of data breaches and system compromise, as the vulnerability does not require authentication to exploit. The lack of proper input validation in the plugin's architecture creates a persistent threat that can be exploited by automated scanning tools or manual attackers seeking to extract sensitive information from the database. The vulnerability demonstrates a failure in secure coding practices and highlights the importance of implementing proper parameterized queries and input sanitization for all database interactions. Database administrators and security teams should prioritize immediate remediation of this vulnerability through plugin updates or implementation of compensating controls to prevent unauthorized database access and maintain system integrity.