CVE-2026-57683

Epsiloncool · WP Fast Total Search

An unauthenticated SQL injection vulnerability exists in Epsiloncool WP Fast Total Search versions 1.80.280 and earlier, allowing remote attackers to manipulate database queries.

Executive summary

An unauthenticated SQL injection vulnerability in Epsiloncool WP Fast Total Search poses a critical risk of unauthorized database access and potential data exfiltration.

Vulnerability

This is an unauthenticated SQL injection vulnerability occurring within the search functionality of the plugin. An attacker can execute arbitrary SQL commands by injecting malicious payloads into vulnerable search parameters without requiring prior authentication.

Business impact

Successful exploitation of this vulnerability can lead to full database compromise, potentially resulting in the theft of sensitive user data, credentials, and site configuration details. Given the CVSS score of 9.3, this flaw represents a critical threat to data integrity and confidentiality that must be addressed immediately to prevent unauthorized access.

Remediation

Immediate Action: Update the Epsiloncool WP Fast Total Search plugin to the latest available version immediately.

Proactive Monitoring: Review web server and database logs for anomalous query patterns, such as unexpected SQL syntax errors or attempts to access system tables.

Compensating Controls: Implement a Web Application Firewall (WAF) with updated rulesets designed to detect and block common SQL injection patterns targeting WordPress plugins.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The severity of this vulnerability necessitates an immediate response. Administrators should prioritize patching the Epsiloncool WP Fast Total Search plugin across all affected environments to eliminate the risk of database compromise. Failure to update may expose the organization to significant data breach risks.