A high-severity vulnerability has been identified in the JS Archive List plugin for WordPress, affecting all versions up to and including 6. This flaw allows an unauthenticated attacker to steal sensitive information from the website's database, such as user credentials, personal data, and site content, by sending specially crafted requests to the server. Due to the ease of exploitation and the potential for complete database compromise, immediate remediation is strongly advised.

The vulnerability is a time-based SQL Injection flaw within the build_sql_where() function of the JS Archive List plugin. The function fails to properly sanitize user-supplied input before using it to construct a SQL query. An unauthenticated attacker can craft a malicious SQL query that includes a time-delay command (e.g., SLEEP() or BENCHMARK()). By measuring the server's response time, the attacker can infer the results of the query one character at a time, allowing them to progressively exfiltrate data from the database without directly seeing the output.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to a significant data breach, resulting in the unauthorized disclosure of sensitive information stored in the WordPress database. This includes user accounts, hashed passwords, customer data, and other confidential site information. The business risks include reputational damage, loss of customer trust, regulatory fines (if PII is compromised), and the potential for attackers to use stolen credentials to gain further access to the system or escalate privileges.

Immediate Action: The primary remediation is to update the JS Archive List plugin to the latest patched version provided by the developer. If the plugin is not essential for business operations, it should be deactivated and removed entirely to eliminate the risk.

Proactive Monitoring: Monitor web server and database logs for unusually long-running queries or requests targeting the plugin's functionality. Specifically, look for SQL commands like SLEEP() or BENCHMARK() in web request logs. Implement database activity monitoring to detect and alert on anomalous query patterns.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL Injection attempts. Enforce the principle of least privilege for the WordPress database user account, ensuring it only has the minimum permissions necessary to operate the site.

Public Exploit Available: true

Given the high severity (CVSS 7.5) and the potential for a complete database compromise by an unauthenticated attacker, it is strongly recommended that organizations take immediate action. All instances of the JS Archive List plugin must be identified and updated to the latest version without delay. While this CVE is not currently on the CISA KEV list, its characteristics make it a prime candidate for future inclusion. A comprehensive audit of all installed WordPress plugins should be conducted to remove any unnecessary components and reduce the overall attack surface.