Primary

Context

WordPress Product Catalog 8 SQL Injection Vulnerability

Vulnerability

A SQL injection vulnerability has been identified in the Product Catalog 8 plugin for WordPress, specifically in version 1.2.0. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the selectedCategory parameter. Exploitation involves sending POST requests to the admin-ajax.php endpoint with the UpdateCategoryList action, which can be used to extract sensitive information from WordPress database tables.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, which could be used to manipulate the database or extract sensitive information.

Reproduction

To reproduce this vulnerability, send a POST request to the WordPress admin-ajax.php endpoint. Include the selectedCategory parameter with a crafted SQL injection payload, such as a UNION SELECT statement. Also, set the action parameter to UpdateCategoryList.

Added: Jun 9, 2026, 2:22 PM

Updated: Jun 9, 2026, 2:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

9.4

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

9.4

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WordPress Product Catalog 8 SQL Injection Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

Product Catalog 8

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating