A blind SQL injection flaw exists in the BeRocket Brands for WooCommerce plugin, caused by insufficient neutralization of special characters in an SQL statement. This weakness, classified as CWE-89, permits an attacker to execute arbitrary SQL queries against the database, potentially leading to data exfiltration, modification, or deletion. The impact is significant, as attackers could compromise confidential customer data, manipulate store listings, or affect the integrity of the entire WordPress installation.

The vulnerability affects all installations of the BeRocket Brands for WooCommerce plugin up to and including version 3.8.6.3. Any WordPress site that has this plugin installed and not updated beyond that version is potentially exposed.

The CVSS score of 8.5 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at the present moment. The flaw is not listed in the CISA KEV catalog. The attack vector is likely remote, through the website’s public interface, where a malicious user can supply crafted input that reaches the plugin’s database queries. No known active attacks have been confirmed, but because the vulnerability allows blind data retrieval or manipulation, it is considered high risk.