A high-severity vulnerability exists in the "VidShop – Shoppable Videos for WooCommerce" WordPress plugin. This flaw allows an unauthenticated attacker to steal sensitive information from the website's database, such as customer data, order details, or user credentials, by exploiting a time-based SQL injection. Immediate patching is required to prevent a potential data breach.

The vulnerability is a time-based SQL injection flaw within the 'fields' parameter of the plugin. An attacker can send specially crafted SQL queries embedded within this parameter to the application. The application improperly handles this input, allowing the malicious queries to be executed by the database. By injecting conditional queries with a time-delay function (e.g., SLEEP() or BENCHMARK()), an attacker can infer information from the database one character at a time by measuring the server's response time, enabling the exfiltration of sensitive data without generating direct errors.

This is a high-severity vulnerability with a CVSS score of 7.5. Successful exploitation could lead to a significant data breach, compromising sensitive customer information (names, addresses, order history), user credentials, and other confidential business data stored in the database. The potential consequences include severe reputational damage, loss of customer trust, financial losses due to fraud or regulatory fines (e.g., GDPR, PCI-DSS), and significant costs associated with incident response and customer notification.

Immediate Action: Immediately update the "VidShop – Shoppable Videos for WooCommerce" plugin to the latest patched version provided by the vendor. If the plugin is not essential to business operations, consider deactivating and removing it entirely to reduce the overall attack surface.

Proactive Monitoring: Monitor web server access logs and Web Application Firewall (WAF) logs for unusual, repetitive, or abnormally long requests targeting the vulnerable parameter. Database logs should be reviewed for suspicious or long-running queries. Network traffic should be monitored for any unusual patterns of data exfiltration from the web server.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with a strict ruleset designed to detect and block SQL injection attacks. Ensure the WAF is in blocking mode and not just logging/alerting. Restrict database user permissions to follow the principle of least privilege, limiting the potential impact of a successful injection.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the direct risk of a data breach, we strongly recommend that all instances of the "VidShop – Shoppable Videos for WooCommerce" plugin be patched immediately. The ease with which SQL injection vulnerabilities can be exploited makes this a critical priority. Organizations should treat this as an urgent threat and apply the vendor-supplied updates without delay to protect sensitive customer and business data.