CVE-2016-20065
Description
SQL injection in Product Catalog 8 1.2 plugin for WordPress allows unauthenticated attackers to extract sensitive database information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Product Catalog 8 1.2 plugin for WordPress allows unauthenticated attackers to extract sensitive database information.
Vulnerability
The Product Catalog 8 1.2 plugin for WordPress is vulnerable to SQL injection. This vulnerability exists in the selectedCategory parameter, which is not properly escaped. The UpdateCategoryList action within admin-ajax.php is accessible to unauthenticated users, allowing them to trigger the vulnerable code path [2, 3]. The affected version is Product Catalog 8 1.2.0 [1, 3].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a POST request to the wp-admin/admin-ajax.php endpoint. The request must include the action parameter set to UpdateCategoryList and the selectedCategory parameter containing malicious SQL code. This allows the attacker to execute arbitrary SQL queries against the WordPress database [2, 3].
Impact
Successful exploitation of this SQL injection vulnerability allows an unauthenticated attacker to execute arbitrary SQL queries. This can lead to the extraction of sensitive database information from WordPress tables. The scope of the compromise is limited to the database accessible by the WordPress application [2].
Mitigation
This plugin has been closed as of September 15, 2014, and is no longer available for download [1]. The vendor was not found as of November 12, 2016 [3]. There is no information available regarding a fixed version or a patch for this vulnerability. Users should uninstall the plugin if it is still in use.
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `selectedCategory` parameter is not properly escaped before being used in an SQL query."
Attack vector
An unauthenticated attacker can submit a POST request to the `admin-ajax.php` endpoint with the `action` parameter set to `UpdateCategoryList` [ref_id=1]. By injecting malicious SQL code into the `selectedCategory` parameter, an attacker can execute arbitrary SQL queries [ref_id=1]. This allows for the extraction of sensitive information from WordPress database tables.
Affected code
The vulnerability lies within the Product Catalog 8 1.2 plugin for WordPress. Specifically, the `UpdateCategoryList()` function is accessible for any user, and the `$_POST[‘selectedCategory’]` parameter is not escaped before being used in SQL queries [ref_id=1].
What the fix does
The patch is not available in the provided information. The advisory indicates that the `$_POST[‘selectedCategory’]` is not escaped and that `UpdateCategoryList()` is accessible for any user [ref_id=1]. Remediation would involve properly sanitizing or escaping the `selectedCategory` input before it is used in database queries.
Preconditions
- authThe vulnerability affects unauthenticated users.
- inputThe `selectedCategory` parameter is vulnerable to SQL injection.
Reproduction
```html <form method="post" action="http://target/wp-admin/admin-ajax.php"> <input type="text" name="selectedCategory" value="0 UNION SELECT 1,2,3,4,5,6 FROM wp_terms WHERE term_id=1"> <input type="text" name="action" value="UpdateCategoryList"> <input type="submit" value="Send"> </form> ``` [ref_id=1]
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.