Impact
The vulnerability in WP EasyCart allows an attacker to inject arbitrary SQL commands through the contributor input fields. This flaw is a classic SQL Injection (CWE‑89) that can lead to unauthorized reading, modification, or deletion of database records. The impact can manifest as data theft, manipulation of order information, user data corruption, or escalation of privileges through malicious queries.
Affected Systems
Vendors affected include Levelfourdevelopment WP EasyCart. All plugin versions up to and including 5.9.0 are vulnerable; versions 5.9.1 and later are not reported as compromised.
Risk and Exploitability
The CVSS score of 8.5 indicates high severity, and although EPSS data is unavailable, the lack of a KEV listing does not preclude exploitation. The likely attack vector is the web interface, specifically requests containing contributor data that is not properly sanitized. Exploitation requires that the attacker can supply input through a contributor-enabled context; the vulnerability is exploitable when authenticated contributor privileges are present. The combination of a high CVSS and a web‑based attack surface suggests that, should an adversary target a site, the risk of an active attack remains significant.
OpenCVE Enrichment