Skip to main content

eCommerce Product Catalog EUVDEUVD-2026-36900

| CVE-2026-52693 CRITICAL
SQL Injection (CWE-89)
2026-06-15 Patchstack GHSA-rgmr-gwj7-9rrh
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
9.3 CRITICAL

Unauthenticated network SQLi against a public WordPress plugin endpoint justifies AV:N/AC:L/PR:N/UI:N; scope changes to the WordPress DB (S:C); high confidentiality, low integrity via potential writes, no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 21:26 vuln.today
CVE Published
Jun 15, 2026 - 20:19 cve.org
CRITICAL 9.3

DescriptionCVE.org

Unauthenticated SQL Injection in eCommerce Product Catalog <= 3.5.5 versions.

AnalysisAI

Unauthenticated SQL injection in the implecode eCommerce Product Catalog WordPress plugin (versions 3.5.5 and earlier) allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The CVSS 9.3 score reflects a scope change with high confidentiality impact, meaning data outside the plugin's database context can be reached. No public exploit identified at time of analysis, though the Patchstack advisory confirms the vendor-tracked vulnerability class.

Technical ContextAI

The affected component is the eCommerce Product Catalog plugin by implecode for WordPress, identified by CPE cpe:2.3:a:implecode:ecommerce_product_catalog. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-supplied input is concatenated into SQL statements without proper sanitization, prepared statements, or use of WordPress's $wpdb->prepare() API. Because the plugin runs in the WordPress execution context, injected SQL executes against the wp_ database where credentials, session tokens, and option values are stored.

RemediationAI

Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the supplied data - administrators should consult the Patchstack reference (https://patchstack.com/database/wordpress/plugin/ecommerce-product-catalog/vulnerability/wordpress-ecommerce-product-catalog-plugin-3-5-5-sql-injection-vulnerability) and the WordPress.org plugin page to obtain the next release above 3.5.5 and update via the WordPress admin dashboard. Until upgrading, deactivate and remove the plugin if it is non-essential (loss of catalog functionality), or place the affected catalog endpoints behind a WAF with SQLi signatures enabled such as Patchstack, Wordfence, or Cloudflare managed rules (may produce false positives on legitimate product searches). Restricting access to the plugin's front-end query endpoints via IP allowlist is an option for B2B deployments but breaks public storefronts.

Share

EUVD-2026-36900 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy