A critical SQL Injection vulnerability has been identified in the WBW WooBeWoo Product Filter Pro plugin for WordPress. This flaw allows an unauthenticated attacker to inject malicious SQL commands, potentially leading to the theft of sensitive database information, unauthorized modification of website data, or a complete compromise of the affected website.

The vulnerability is an Improper Neutralization of Special Elements used in an SQL Command, commonly known as SQL Injection. The application fails to properly sanitize user-supplied input before using it in a database query. An unauthenticated remote attacker can craft a malicious request to a public-facing component of the plugin, injecting arbitrary SQL code that will be executed by the backend database, granting them unauthorized access and control over the database.

This vulnerability is rated as critical severity with a CVSS score of 9.3. Successful exploitation could have a severe impact on the business, leading to the exfiltration of sensitive data, including customer personally identifiable information (PII), user credentials, and order details. This data breach could result in significant reputational damage, financial loss, and potential regulatory fines. Furthermore, an attacker could modify or delete website content or escalate their privileges to gain administrative control over the entire website and underlying server.

Immediate Action: Update the WBW WooBeWoo Product Filter Pro plugin to the latest patched version immediately across all production and development environments. After patching, it is crucial to monitor for any signs of post-remediation exploitation attempts and review web server and database access logs for any suspicious activity that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced monitoring of web server access logs and database query logs. Look for suspicious requests containing SQL keywords (e.g., UNION, SELECT, INSERT, '--', OR 1=1) or unusual syntax targeted at the plugin's endpoints. Monitor for the creation of unauthorized user accounts or unexpected changes to website content, which could indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with a robust ruleset designed to detect and block SQL injection attacks. Restrict database user permissions to follow the principle of least privilege, ensuring the web application's database user cannot perform unnecessary actions (e.g., dropping tables, accessing system-level information).

Public Exploit Available: false

Given the critical CVSS score of 9.3 and the potential for a complete system compromise, it is strongly recommended that organizations using the WBW WooBeWoo Product Filter Pro plugin apply the vendor-supplied patch immediately. This vulnerability should be treated as a top priority for remediation. Although not currently listed on the CISA KEV catalog, its severity and the high likelihood of future exploitation make it a critical risk that must be addressed without delay.