Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in origincode Product Catalog displayproduct allows SQL Injection.This issue affects Product Catalog: from n/a through <= 1.0.4.
Published: 2025-03-26
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Product Catalog plugin for WordPress contains a classic SQL injection flaw where un‑sanitized input is concatenated into a database query. Attackers can supply crafted arguments to the displayproduct endpoint, causing arbitrary SQL commands to run. This could result in full database compromise, theft of sensitive customer data, or the insertion of malicious content.

Affected Systems

The vulnerability affects the origincode Product Catalog plugin, versions up to and including 1.0.4, when deployed within any WordPress installation that uses the displayproduct feature. No specific operating system or WordPress core version is required for the flaw; any instance that allows external users to interact with the plugin is vulnerable.

Risk and Exploitability

With a CVSS score of 9.3 the severity is high, yet the EPSS score is below 1 % and the flaw is not yet in the CISA KEV list, implying exploitation is currently rare. The most likely attack vector is a remote user sending a malicious request to the plugin via the web interface; the attacker does not need authentication. Once exploited, the attacker can perform any actions permitted by the database credentials used by WordPress, which often include full SELECT, INSERT, UPDATE, and DELETE rights.

Generated by OpenCVE AI on May 1, 2026 at 13:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Product Catalog plugin to the latest available version (greater than 1.0.4) as soon as possible.
  • If no newer version is released, deactivate or uninstall the plugin to eliminate the vulnerable functionality.
  • Implement a web application firewall rule set that detects and blocks SQL injection patterns on the displayproduct endpoint, such as using prepared statements or parameterized queries.
  • Restrict access to the displayproduct endpoint to authenticated administrators only, using .htaccess or plugin settings, to reduce exposure.

Generated by OpenCVE AI on May 1, 2026 at 13:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8134 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in origincode Product Catalog allows SQL Injection. This issue affects Product Catalog: from n/a through 1.0.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in origincode Product Catalog allows SQL Injection. This issue affects Product Catalog: from n/a through 1.0.4. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in origincode Product Catalog displayproduct allows SQL Injection.This issue affects Product Catalog: from n/a through <= 1.0.4.
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 26 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 26 Mar 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in origincode Product Catalog allows SQL Injection. This issue affects Product Catalog: from n/a through 1.0.4.
Title WordPress Product Catalog plugin <= 1.0.4 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:53.098Z

Reserved: 2025-03-24T12:59:27.903Z

Link: CVE-2025-30524

cve-icon Vulnrichment

Updated: 2025-03-26T14:53:23.459Z

cve-icon NVD

Status : Deferred

Published: 2025-03-26T15:16:22.580

Modified: 2026-04-23T15:26:47.803

Link: CVE-2025-30524

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T13:15:20Z

Weaknesses