CVE-2026-32271: Craft Commerce has a SQL Injection can lead to Remote Code Execution via TotalRevenue Widget

A SQL injection in the Commerce TotalRevenue widget can lead to remote code execution through a chain of four vulnerabilities:

• SQL Injection – The TotalRevenue stat interpolates unsanitized widget settings directly into a sprintf-based SQL Expression. Any control panel user can create any widget type without permission checks.

• PDO Multi-Statement Queries – PHP PDO MySQL enables CLIENT_MULTI_STATEMENTS by default. Neither Yii2 nor Craft CMS disables it. This allows stacking an INSERT statement after the injected SELECT , writing a maliciously serialized PHP object into the queue table.

• Unrestricted unserialize() – The yii2-queue PhpSerializer calls unserialize() with no allowed_classes restriction on every queue job. When the queue consumer processes the injected job, it instantiates the attacker-controlled object.

• Gadget Chain (FileCookieJar) – GuzzleHttp\Cookie\FileCookieJar (a standard Guzzle dependency) has an unguarded __destruct() method that calls file_put_contents(). The attacker’s serialized payload writes a PHP webshell to the server’s webroot. PHP tags survive json_encode() because Guzzle uses options=0 (no JSON_HEX_TAG).

The complete chain requires 3 HTTP requests and achieves arbitrary command execution as the PHP process user. Queue processing is triggered via GET /actions/queue/run, an endpoint that requires no authentication ($allowAnonymous = ['run']).