A critical SQL Injection vulnerability, identified as CVE-2025-30633, has been discovered in the AA-Team Amazon Native Shopping Recommendations plugin. This flaw allows an unauthenticated attacker to execute arbitrary SQL commands on the underlying database, potentially leading to a complete compromise of the database, data theft, and unauthorized modification of website content. Organizations using the affected plugin are at high risk of a data breach and should take immediate action.

The vulnerability exists because the application fails to properly sanitize user-supplied input before incorporating it into an SQL query. An attacker can craft a malicious input string containing SQL syntax to manipulate the intended query logic. Successful exploitation allows the attacker to bypass authentication, read, modify, or delete sensitive information from the database, and in some configurations, execute commands on the underlying operating system.

This vulnerability is rated as critical severity with a CVSS score of 9.3. Exploitation could lead to a severe data breach, resulting in the exfiltration of sensitive customer information, user credentials, and other confidential business data stored in the database. The potential consequences include significant financial loss, reputational damage, regulatory fines for non-compliance with data protection standards (e.g., GDPR, CCPA), and loss of customer trust. An attacker could also deface the website or use the compromised server to launch further attacks.

Immediate Action: Update the AA-Team Amazon Native Shopping Recommendations plugin to the latest version available from the vendor, which addresses this vulnerability. After patching, monitor for any signs of post-compromise activity and review web server and database access logs for any suspicious queries or exploitation attempts that may have occurred before the update.

Proactive Monitoring: Implement continuous monitoring of web application and database logs. Specifically, look for malformed SQL queries, a high volume of database errors, and unusual requests containing SQL keywords such as UNION, SELECT, INSERT, DROP, or comment characters like -- or #. Monitor for unexpected changes to database content or application behavior.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with a robust ruleset designed to detect and block SQL injection attacks. Additionally, ensure the database user account leveraged by the web application operates with the principle of least privilege, restricting its ability to access or modify sensitive tables or execute system-level commands.

Public Exploit Available: false

Given the critical CVSS score of 9.3, organizations are strongly urged to treat this vulnerability with the highest priority. The risk of data compromise is severe. We recommend immediately applying the vendor-supplied patch to all affected systems. Although this vulnerability is not currently listed on the CISA KEV catalog, its critical nature warrants immediate attention to prevent potential exploitation.