Description
Unauthenticated SQL Injection in Advance Product Search <= 1.4.4 versions.
Published: 2026-06-26
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Advance Product Search plugin for WordPress includes an unauthenticated SQL injection flaw in versions 1.4.4 and earlier. An attacker can insert crafted input into the search feature, which is then embedded directly into a database query without proper sanitization. This vulnerability allows the attacker to read, modify, or delete data within the WordPress database, contingent on the privileges granted to the database user employed by the site.

Affected Systems

WordPress sites that have the ThemeHunk Advance Product Search plugin installed at version 1.4.4 or older are affected. The flaw is triggered through the publicly accessible search functionality, so any visitor to the site can attempt an exploit without needing administrative credentials.

Risk and Exploitability

The CVSS score of 9.3 classifies the issue as critical. Because no authentication is required and the vulnerability is exposed through a public interface, attackers can exploit it manually or via automated scanning whenever the plugin and site are online. The EPSS score is not available, but the absence of access controls indicates that exploitation is feasible. The vulnerability is not listed in the CISA KEV catalog, yet the high severity warrants prompt action.

Generated by OpenCVE AI on June 26, 2026 at 18:37 UTC.

Remediation

Vendor Solution

Update the WordPress Advance Product Search Plugin to the latest available version (at least 1.4.5).

OpenCVE Recommended Actions

  • Update the Advance Product Search plugin to version 1.4.5 or newer.
  • If the plugin is not required for site functionality, permanently disable or remove it.
  • Configure the database user that WordPress uses to have only the minimum privileges necessary for normal operation.
  • Apply the plugin update as soon as it is released to eliminate the unauthenticated injection vector.

Generated by OpenCVE AI on June 26, 2026 at 18:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Themehunk
Themehunk advance Product Search
Wordpress
Wordpress wordpress
Vendors & Products Themehunk
Themehunk advance Product Search
Wordpress
Wordpress wordpress

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in Advance Product Search <= 1.4.4 versions.
Title WordPress Advance Product Search plugin <= 1.4.4 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Themehunk Advance Product Search
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T16:47:47.692Z

Reserved: 2026-06-18T14:38:18.949Z

Link: CVE-2026-56070

cve-icon Vulnrichment

Updated: 2026-06-26T16:47:41.983Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T20:15:02Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')