A SQL Injection vulnerability has been discovered in the WordPress Advanced Local Pickup for WooCommerce Plugin. This vulnerability could allow a malicious actor to directly interact with the database, including but not limited to stealing information.

This vulnerability was discovered and reported by Marco Wotschka.

The vulnerability is caused by a lack of input validation in the plugin’s code. This allows an attacker to inject malicious code into the website, which is then executed when visitors visit the site.


This vulnerability is of high severity, boasting a CVSS 3.1 score of 7.2. This rating underscores the notable danger it poses to the integrity of the WordPress website.

Affected Versions:

All versions of the WordPress Advanced Local Pickup for WooCommerce Plugin are affected by this vulnerability.


SQL Injection vulnerabilities can allow unauthorized actors to directly manipulate your website’s database. Potential consequences include unauthorized access, data theft, and other malicious actions, all of which can undermine a website’s security and functionality.


Considering the high severity of this vulnerability, advise the following courses of action to secure the WordPress website:

  1. Stay Informed: Keep a watchful eye on updates and announcements from the plugin developer regarding this vulnerability. As soon as a patch or update becomes available, apply it promptly.
  2. Regular Update Practices: Ensure that all of WordPress plugins, themes, and the WordPress core are consistently updated to minimize known vulnerabilities.
  3. Elevated Security Measures: Contemplate implementing added security measures such as web application firewalls (WAFs), security plugins, and regular security audits to enhance the website’s defenses.

There is currently no patched version of the WordPress Advanced Local Pickup for WooCommerce Plugin available. To mitigate the risk of exploitation, it is recommended to disable the plugin until a patched version is released.