HIGH 8.2

CVE-2016-20065: Unauthenticated SQL Injection in Product Catalog 8 WordPress Plugin

The Product Catalog 8 plugin version 1.2 for WordPress contains a critical SQL injection flaw that allows attackers to bypass authentication entirely and directly query the WordPress database. An unauthenticated attacker can craft a specially designed POST request to the admin-ajax.php endpoint, manipulating the selectedCategory parameter to inject arbitrary SQL commands. This enables unauthorized data extraction from sensitive WordPress database tables, potentially exposing user credentials, posts, comments, and configuration data without requiring login credentials or user interaction.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Weaknesses (CWE)
CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Product Catalog 8 1.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the selectedCategory parameter. Attackers can submit POST requests to the admin-ajax.php endpoint with the UpdateCategoryList action to extract sensitive database information from WordPress tables.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2016-20065 is an unauthenticated SQL injection vulnerability in Product Catalog 8 version 1.2 for WordPress. The vulnerability exists in the handling of the selectedCategory parameter within requests to admin-ajax.php using the UpdateCategoryList action. The plugin fails to properly sanitize or parameterize user-supplied input before incorporating it into SQL queries. This allows attackers to append arbitrary SQL syntax, achieving both UNION-based and time-based blind SQL injection attacks. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), with a CVSS v3.1 score of 8.2 (HIGH severity) reflecting high confidentiality impact and limited integrity impact with no availability impact.

Business impact

This vulnerability poses a significant risk to WordPress sites relying on Product Catalog 8 for e-commerce or product management functionality. Attackers can extract sensitive data including customer information, product pricing, transactional records, and WordPress user accounts without detection. A compromised database could expose personally identifiable information (PII) and payment-related details, triggering potential compliance violations under GDPR, PCI-DSS, and similar regulations. Additionally, database access may enable attackers to modify product listings or inject malicious content, affecting site integrity and customer trust. Organizations hosting multiple WordPress sites with this plugin face compounded risk across their entire installation base.

Affected systems

The vulnerability specifically affects Product Catalog 8 version 1.2 for WordPress. Any WordPress installation with this plugin version deployed is potentially vulnerable. The vulnerability is publicly disclosed and exploitable without authentication, making it broadly accessible to threat actors. Organizations should conduct a comprehensive audit of their WordPress plugin inventory to identify all instances of Product Catalog 8, noting that the vulnerability requires no special configuration or user interaction to exploit.

Exploitability

This vulnerability is highly exploitable. It requires no authentication, no special privileges, and no user interaction. An attacker can craft a malicious POST request from anywhere on the internet targeting the wp-admin/admin-ajax.php endpoint. The attack surface is large because the vulnerable endpoint is enabled by default on all WordPress installations. The simplicity of HTTP POST requests and the straightforward nature of SQL injection attacks mean that exploitation requires minimal technical sophistication. Proof-of-concept code is likely available in the security research community, lowering the barrier to exploitation.

Remediation

Organizations must immediately disable or remove the Product Catalog 8 plugin version 1.2 from all WordPress installations. Check with the plugin vendor for an updated version that patches this SQL injection vulnerability; if no patch is available, consider alternative catalog plugins. If the plugin cannot be removed immediately due to business constraints, apply the principle of least privilege by restricting access to admin-ajax.php at the firewall or web application level, though this should be a temporary measure only. After remediation, review database access logs and audit for evidence of unauthorized queries or data extraction.

Patch guidance

Verify against the vendor advisory for the availability and version number of a patched release for Product Catalog 8. If a patch is available, update the plugin immediately through the WordPress admin dashboard or manually through your hosting provider. Test the update in a staging environment first to ensure compatibility with your theme, other plugins, and custom functionality. If no patch is currently available from the vendor, document the date of your attempt to update and escalate to your hosting provider or WordPress security team for guidance. After updating, confirm the plugin version reflects the patched release and re-run security scans to validate remediation.

Detection guidance

Monitor access logs for POST requests to wp-admin/admin-ajax.php with action=UpdateCategoryList and any selectedCategory parameters containing SQL keywords such as SELECT, UNION, EXEC, DROP, INSERT, or encoded variants thereof. Implement Web Application Firewall (WAF) rules to block requests matching common SQL injection patterns targeting this endpoint. Enable WordPress security logging plugins to capture and alert on suspicious admin-ajax.php activity. Query your WordPress database access logs for unusual or high-volume queries initiated by the web server user account. Review database backups to detect unauthorized schema changes, new user accounts, or modifications to sensitive tables. Consider deploying a Database Activity Monitor (DAM) solution for real-time detection of anomalous query patterns.

Why prioritize this

This vulnerability warrants immediate remediation due to its HIGH CVSS score (8.2), unauthenticated attack vector, and direct access to sensitive data. The lack of authentication barriers and the public nature of the disclosure mean this is likely to be actively exploited. The potential for customer data exposure creates both regulatory and reputational liability. Unlike many vulnerabilities requiring specific conditions or social engineering, this flaw can be exploited by any remote attacker with a single HTTP request. Organizations running this plugin should treat remediation as an emergency priority, not a routine update cycle.

Risk score, explained

The CVSS v3.1 score of 8.2 (HIGH) reflects a network-accessible vulnerability requiring no authentication or user interaction, with significant impact on data confidentiality (unauthenticated database queries can extract sensitive information). The vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N indicates attack vector is Network, Attack Complexity is Low, no authentication is required, no user interaction needed, and the scope is Unchanged. High confidentiality impact acknowledges the ability to read arbitrary database records. Limited integrity impact reflects the potential to modify data through SQL injection, though availability is not impacted as the attack does not cause denial of service. This HIGH rating appropriately conveys the critical nature of the flaw for any organization running the affected plugin.

Frequently asked questions

Is my WordPress site vulnerable if I have Product Catalog 8 installed but don't actively use it?

Yes. The vulnerability is in the plugin code itself and is exploitable regardless of whether you actively use the plugin's features. An attacker does not need the plugin to be 'enabled' in the business sense; simply being installed and activated is sufficient for exploitation. You should remove or patch the plugin immediately even if it's not in active use.

Can a WAF or firewall block this attack completely without patching the plugin?

A WAF can significantly reduce attack surface by blocking SQL injection patterns and requests containing suspicious keywords in the selectedCategory parameter. However, relying on WAF rules alone is not a substitute for patching, as sophisticated attackers may bypass WAF rules through encoding, fragmentation, or novel injection techniques. A WAF should be considered a temporary mitigation while you patch or replace the plugin, not a permanent solution.

How can I check if my site has already been compromised by this vulnerability?

Review your WordPress database and web server access logs for the time period since the plugin was installed. Look for POST requests to admin-ajax.php with UpdateCategoryList action and selectedCategory parameters containing SQL keywords or encoded characters. Check for unauthorized WordPress user accounts, modified post content, or unexpected database schema changes. If you suspect compromise, consider engaging a forensic security firm and immediately resetting all WordPress user passwords and database credentials.

Does this vulnerability affect WordPress.com or only self-hosted WordPress?

This vulnerability affects self-hosted WordPress installations using the vulnerable Product Catalog 8 plugin version 1.2. If your site is hosted on WordPress.com's managed service, plugin installation is restricted, and you are not vulnerable. If you operate a self-hosted WordPress.org installation, you are potentially affected if the plugin is installed.

This analysis is provided for informational purposes and reflects the vulnerability details as of the published and modified dates. Organizations should verify patch availability directly with the plugin vendor and test patches in non-production environments before deployment. The vulnerability information presented here is based on publicly disclosed details; actual exploitation behavior may vary. This advisory does not constitute legal advice or compliance guidance; consult with legal and compliance teams regarding regulatory implications of any data exposure. SEC.co makes no warranties regarding the completeness or accuracy of vendor advisory information and recommends independent verification against official plugin repositories and vendor statements. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).