This vulnerability is an improper neutralization of special elements used in an SQL command. The Actionwear products sync plugin allows an attacker to inject arbitrary SQL statements, potentially exposing sensitive data, modifying database contents, or providing further exploitability to the database level. No direct exploitation evidence is reported, but the impact could be significant if the injector can read or alter application data or credentials.

All installations of the Actionwear products sync plugin from the initial release up through version 2.3.3 are affected. The vendor, marcoingraiti, has not identified a patch or further version details for the affected state beyond the limit of 2.3.3; therefore any site running any version up to and including 2.3.3 carries the risk.

The CVSS score of 8.5 classifies this flaw as high severity, and the EPSS score of less than 1% indicates a very low probability of exploitation in the current environment. The vulnerability is remotely reachable via web requests to the plugin’s endpoints, but it requires crafted input to trigger the injection. The lack of listing in CISA’s KEV catalog and the absence of publicly known exploits means that the attack vector is theoretical rather than demonstrated; however, the potential impact warrants prompt attention.