The vulnerability is an improper neutralization of special elements in SQL commands, commonly known as SQL injection. The flaw exists in MC Woocommerce Wishlist's smart-wishlist-for-more-convert component, which fails to sanitize user input that becomes part of database queries. Successful exploitation could allow an attacker to read, modify, or delete data in the site’s database, potentially exposing customer details or altering order information. The weakness corresponds to CWE‑89.

Any installation of MC Woocommerce Wishlist by Moreconvert Team with a version labeled 1.8.9 or earlier is susceptible. Earlier undisclosed versions are also considered vulnerable, as the plugin appears to lack protective checks prior to 1.8.9.

The CVSS score of 7.6 indicates a high severity risk. The EPSS score of less than 1% implies that the probability the vulnerability is actively exploited is low at the time of this analysis, and the issue is not listed in the CISA KEV catalog. The likely attack vector involves a malicious user interacting with the plugin’s wishlist functionality, sending specially crafted payloads that bypass input validation and execute arbitrary SQL through the backend database. The impact is confined to the application’s database and the content accessible to attackers who can exploit it.