Craft Commerce: SQL Injection can lead to Remote Code Execution via TotalRevenue Widget
Summary
| CVE | CVE-2026-32271 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-13 21:16:24 UTC |
| Updated | 2026-04-13 21:16:24 UTC |
| Description | Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through a four-step exploitation chain. The attack exploits unsanitized widget settings interpolated into SQL expressions, combined with PDO's default multi-statement query support, to inject a maliciously serialized PHP object into the queue table. When the queue consumer processes the injected job, the unrestricted unserialize() call in yii2-queue instantiates a GuzzleHttp FileCookieJar gadget chain whose __destruct() method writes a PHP webshell to the server's webroot. The complete chain requires only three HTTP requests, no administrative privileges, and results in arbitrary command execution as the PHP process user, with queue processing triggered via an unauthenticated endpoint. This issue has been fixed in versions 4.10.3 and 5.5.5. |
Risk And Classification
Primary CVSS: v4.0 7.7 HIGH from [email protected]
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Problem Types: CWE-89 | CWE-89 CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 7.7 | HIGH | CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | DECLARED | 7.7 | HIGH | CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
HighAttack Requirements
NonePrivileges Required
LowUser Interaction
NoneConfidentiality
HighIntegrity
HighAvailability
HighSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/craftcms/commerce/security/advisories/GHSA-875v-7m49-8x88 | [email protected] | github.com | |
| github.com/craftcms/commerce/commit/6d2d24b3a2b0c06593856d05446f82bd8af9... | [email protected] | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.