KomSeo Cart 1.3 contains a classic SQL injection vulnerability that allows attackers to inject arbitrary SQL through the my_item_search parameter in edit.php. By submitting crafted POST requests, an adversary can employ boolean‑based blind or error‑based techniques to extract sensitive data from the database. This results in a breach of confidentiality, as the attacker may read private information stored in the database. The weakness corresponds to CWE‑89, which represents unvalidated input that leads to SQL injection.

The issue affects the Sitemakin KomSeo Cart application version 1.3. The CNA data does not list any other affected versions, so the scope is limited to this release. No other products or vendors are identified.

The base CVSS score of 8.8 indicates high severity. The EPSS score of less than 1  that, at the time of assessment, the probability of exploitation is low, although the vulnerability is publicly known. The vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog, meaning there is no confirmed active exploitation in the wild. The attack vector is most likely remote over the network: an attacker who can reach the exposed web application and submit POST data to edit.php can trigger the injection. No special privileges or pre‑existing access are mentioned in the CVE description, so a standard web‑app attacker with access to the public interface can attempt exploitation. Successful exploitation would allow the attacker to read sensitive data from the database, potentially including customer information, order details, or other confidential data.