Unspecified SQL injection flaw allows unauthenticated callers to embed crafted SQL statements into queries executed by the Feed KuantoKusta for WooCommerce – Free plugin. The flaw rests on improper input validation (CWE‑89) and can give an attacker read or write access to the database, potentially revealing sensitive data or modifying store information. Because the attack does not require authentication, any web visitor could trigger it, making the risk of data compromise high.

The vulnerability affects the Naked Cat Plugins (by Webdados) Feed KuantoKusta for WooCommerce – Free plugin, versions up to and including 5.3. The vendor recommends updating to version 5.3.1 or later to remediate the flaw. Sites running earlier releases that have not applied the patch are exposed.

The CVSS base score of 9.3 classifies this issue as Critical, reflecting its high impact and ease of exploitation. The EPSS score of less than 1% indicates a low probability of exploitation in the current period, yet the public nature of the flaw and absence of detected widespread attacks suggest that attackers may still target vulnerable sites. The flaw is not listed in the CISA KEV catalogue, confirming that no validated, public exploit has been reported to date. Exposing the flaw is possible through unauthenticated HTTP requests that feed arbitrary SQL into plugin‑controlled queries, so sites lacking the update remain at risk.