Improper neutralization of special elements in an SQL command is present in the Printcart Web to Print Product Designer for WooCommerce plugin. This flaw allows an attacker to inject arbitrary SQL statements through plugin input fields, potentially leading to unauthorized query execution, data disclosure, or data modification in the WordPress database. The likely attack vector involves sending crafted input to exposed plugin endpoints; however, the official description does not explicitly state whether authentication is required, so the vulnerability may be exploitable by both authenticated and unauthenticated users if no access controls exist.

The affected system is the WordPress plugin Printcart Web to Print Product Designer for WooCommerce, provided by Printcart. Versions from the initial release version (n/a) up to and including 2.4.0 are impacted. The plugin is commonly used on WooCommerce installations to enable custom product design features.

The CVSS score of 8.5 indicates a high severity impact. The EPSS score of less than 1% suggests a low but nonzero probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Given the nature of SQL injection, a successful exploit could provide an attacker with read or write access to the database, compromising confidentiality and integrity of store data. The lack of an official fix means that remediation relies on upgrading to a patched version or applying mitigating controls such as WAF rules.