ThemeHunk Advance Product Search contains a critical unauthenticated SQL injection vulnerability that allows remote attackers to compromise the application database.

This vulnerability involves an unauthenticated SQL injection flaw within the plugin’s search functionality. Attackers can leverage this to execute malicious SQL queries, bypassing authentication requirements and interacting directly with the site's database.

A CVSS score of 9.3 confirms the critical severity of this issue, as it allows for unauthorized data access, modification, or deletion without requiring any user credentials. Successful exploitation could lead to significant business disruption, theft of sensitive product or user information, and long-term reputational damage to the organization.

Immediate Action: Update the ThemeHunk Advance Product Search plugin to the latest version provided by the vendor.

Proactive Monitoring: Monitor database query logs for anomalous activity or unexpected database errors that may indicate an ongoing injection attempt.

Compensating Controls: Utilize a Web Application Firewall (WAF) to inspect and block incoming HTTP requests containing suspicious SQL injection patterns, providing temporary protection until the patch is applied.

Public Exploit Available: Not specified

Security teams should treat this vulnerability with the highest priority due to the ease of exploitability and the potential impact on data integrity. It is imperative to update the plugin immediately and audit the database for any signs of unauthorized modification that may have occurred prior to the update.