Impact
The vulnerability is an SQL injection flaw caused by improper neutralization of special characters in SQL queries. Classified as CWE‑89, the flaw allows execution of arbitrary SQL commands through the Recover abandoned cart for WooCommerce plugin. Based on the description, it is inferred that unauthorized database access could occur, potentially affecting data confidentiality and integrity.
Affected Systems
The affected product is the Recover abandoned cart for WooCommerce plugin by sonalsinha21, valid for all releases from its inception up to and including version 2.5. The plugin is typically deployed on WordPress sites using the WooCommerce e‑commerce extension.
Risk and Exploitability
The CVSS score of 9.3 signals a critical severity, and the EPSS score of <1% indicates a low probability of active exploitation at present. Although the vulnerability is not listed in CISA’s KEV catalog, the combination of high severity and low exploitation likelihood means that sites that have not applied a fix remain at risk. Likely, the attack vector would be through malformed HTTP requests to the plugin’s exposed endpoints that incorporate user input directly into SQL statements.
OpenCVE Enrichment
EUVD