CVE-2026-52693

Vulnerability

The eCommerce Product Catalog plugin for WordPress versions 3.5.5 and earlier contain an unauthenticated SQL injection vulnerability. The flaw allows an attacker to inject arbitrary SQL queries without requiring any prior authentication or user interaction, simply by sending malicious input to a vulnerable endpoint. All installations running version 3.5.5 or below are affected [1].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by crafting specially crafted HTTP requests targeting the vulnerable plugin endpoint. No special privileges, network proximity, or user interaction is required. This vulnerability is expected to be used in mass‑exploit campaigns, where attackers target thousands of websites simultaneously to maximize impact [1].

Impact

Successful exploitation of this SQL injection allows the attacker to directly interact with the underlying WordPress database. This can lead to the exfiltration of sensitive information, including user credentials, personal data, and other stored content. The CVSS score of 9.3 (Critical) reflects the high potential for damage and data loss [1].

Mitigation

The vulnerability is resolved in version 3.5.6. Users are strongly advised to update immediately. For those unable to update, a mitigation rule (e.g., from Patchstack) can be applied to block exploit attempts until the patch is installed. No workaround is provided other than updating or using a web application firewall rule [1].