CVE-2025-9697
Description
The Ajax WooSearch WordPress plugin through 1.0.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated SQL injection in Ajax WooSearch plugin through 1.0.0 allows attackers to extract sensitive data from the database.
The Ajax WooSearch WordPress plugin through version 1.0.0 contains an unauthenticated SQL injection vulnerability. The plugin fails to properly sanitize and escape a parameter before using it in a SQL statement within an AJAX action that is accessible to unauthenticated users [1].
An attacker can exploit this flaw by sending a crafted request to the vulnerable AJAX endpoint without needing any authentication. The lack of input validation allows the injection of arbitrary SQL queries, which are then executed against the WordPress database [1].
Successful exploitation enables an unauthenticated attacker to read, modify, or delete sensitive data from the database, including user credentials, posts, and other site information. This could lead to complete site compromise [1].
As of the latest advisory, no fix is available for this vulnerability. Users are advised to remove or replace the plugin until a patched version is released [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.