CVE-2026-57683
Epsiloncool · WP Fast Total Search
An unauthenticated SQL injection vulnerability exists in Epsiloncool WP Fast Total Search versions 1.80.280 and earlier, allowing remote attackers to manipulate database queries.
Executive summary
An unauthenticated SQL injection vulnerability in Epsiloncool WP Fast Total Search poses a critical risk of unauthorized database access and potential data exfiltration.
Vulnerability
This is an unauthenticated SQL injection vulnerability occurring within the search functionality of the plugin. An attacker can execute arbitrary SQL commands by injecting malicious payloads into vulnerable search parameters without requiring prior authentication.
Business impact
Successful exploitation of this vulnerability can lead to full database compromise, potentially resulting in the theft of sensitive user data, credentials, and site configuration details. Given the CVSS score of 9.3, this flaw represents a critical threat to data integrity and confidentiality that must be addressed immediately to prevent unauthorized access.
Remediation
Immediate Action: Update the Epsiloncool WP Fast Total Search plugin to the latest available version immediately.
Proactive Monitoring: Review web server and database logs for anomalous query patterns, such as unexpected SQL syntax errors or attempts to access system tables.
Compensating Controls: Implement a Web Application Firewall (WAF) with updated rulesets designed to detect and block common SQL injection patterns targeting WordPress plugins.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The severity of this vulnerability necessitates an immediate response. Administrators should prioritize patching the Epsiloncool WP Fast Total Search plugin across all affected environments to eliminate the risk of database compromise. Failure to update may expose the organization to significant data breach risks.