PatchSiren cyber security CVE debrief
CVE-2026-12936 devitemsllc CVE debrief
The Recurio – Ultimate Subscription for WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 1.1.3. This vulnerability is due to insufficient escaping on the user-supplied parameter and a lack of sufficient preparation on the existing SQL query. Authenticated attackers with shop manager-level access and above can inject SQL queries to extract sensitive information from the database. This type of vulnerability typically allows attackers to access sensitive data, execute unauthorized actions, or potentially elevate their privileges within the affected system. The CVSS score of 4.9 indicates a medium severity, highlighting the need for prompt attention and remediation.
- Vendor
- devitemsllc
- Product
- Recurio – Ultimate Subscription for WooCommerce
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-08
Who should care
Authenticated attackers with shop manager-level access and above should be concerned as they can inject SQL queries to extract sensitive information from the database. Additionally, security teams, vulnerability management teams, and operators of the affected WordPress installations should prioritize assessing their exposure and applying necessary mitigations. Platform administrators and security personnel responsible for the Recurio – Ultimate Subscription for WooCommerce plugin should review the vulnerability details and implement recommended actions to prevent potential exploitation.
Technical summary
The Recurio – Ultimate Subscription for WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 1.1.3. This is due to insufficient escaping on the user-supplied parameter and a lack of sufficient preparation on the existing SQL query. Authenticated attackers with shop manager-level access and above can append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The vulnerability's technical impact includes potential unauthorized data access and manipulation, emphasizing the need for proper input validation and query sanitization.
Defensive priority
Medium priority due to the CVSS score of 4.9 and the potential for sensitive information disclosure.
Recommended defensive actions
- Inventory and verify the Recurio – Ultimate Subscription for WooCommerce plugin version.
- Restrict access to the plugin's functionality to only necessary personnel.
- Implement additional monitoring for suspicious database queries.
- Apply the vendor's remediation as soon as it becomes available.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-08T12:17:19.923Z and was last modified on 2026-07-08T14:55:07.843Z. The NVD entry is currently Deferred. The Recurio – Ultimate Subscription for WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 1.1.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. Authenticated attackers with shop manager-level access and above can append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Evidence limits suggest verifying the plugin version, reviewing official advisories, and monitoring for suspicious database queries.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T12:17:19.923Z and has not been modified since then. The NVD entry is currently Deferred.