Impact
An unauthenticated SQL injection flaw exists in all installations of the WordPress eCommerce Product Catalog plugin up to version 3.5.5. Attackers can supply crafted input that is incorporated directly into database queries without proper sanitization, allowing them to execute arbitrary SQL statements. The potential consequences are significant: attackers can read sensitive product or order data, modify or delete records, and in worst‑case scenarios gain full control of the WordPress database, effectively taking over the site.
Affected Systems
The affected component is the eCommerce Product Catalog plugin developed by impleCode. Vulnerable versions include 3.5.5 and any earlier releases that have not incorporated the patch. No other WordPress plugins or core software are impacted by this vulnerability.
Risk and Exploitability
The CVSS base score of 9.3 classifies this as a critical vulnerability, but the EPSS score of less than 1% suggests a low probability of real‑world exploitation at present, and it is not listed in the CISA KEV catalog. Nevertheless, the vulnerability can be exploited without authentication, provided the attacker can reach the plugin’s input endpoint. Successful exploitation would grant database access, leading to data compromise and potential site takeover.
OpenCVE Enrichment