CVE-2016-20065 in Product Catalog 8
Summary
by MITRE • 06/09/2026
Product Catalog 8 1.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the selectedCategory parameter. Attackers can submit POST requests to the admin-ajax.php endpoint with the UpdateCategoryList action to extract sensitive database information from WordPress tables.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/09/2026
The Product Catalog 8 1.2 plugin for WordPress presents a critical security vulnerability classified as SQL injection that fundamentally compromises the integrity of affected systems. This flaw exists within the plugin's handling of user input through the selectedCategory parameter, which is processed without adequate sanitization or validation mechanisms. The vulnerability specifically targets the admin-ajax.php endpoint and leverages the UpdateCategoryList action to execute malicious SQL commands, creating a direct pathway for unauthorized data extraction and system compromise.
This SQL injection vulnerability operates through unauthenticated attack vectors, meaning that malicious actors do not require valid credentials to exploit the flaw. The attack surface is particularly concerning as it targets the WordPress administrative interface through the AJAX endpoint, which is commonly used for dynamic content updates and user interactions. When attackers submit POST requests containing malicious SQL payloads through the selectedCategory parameter, the plugin fails to properly escape or filter the input before incorporating it into database queries, thereby enabling arbitrary code execution at the database level.
The operational impact of this vulnerability extends beyond simple data theft, as attackers can potentially extract sensitive information from WordPress database tables including user credentials, configuration settings, and other confidential data. The vulnerability's exploitation allows for comprehensive database enumeration and can facilitate further attacks such as privilege escalation, data manipulation, or even complete system compromise. The unauthenticated nature of the attack means that this vulnerability can be exploited by anyone with access to the affected WordPress site, making it particularly dangerous for publicly accessible installations.
From a technical perspective, this vulnerability aligns with CWE-89 which defines SQL injection as the insertion of malicious SQL code into input fields for execution by the database. The flaw represents a classic case of insufficient input validation and improper output encoding, common patterns identified in the OWASP Top Ten security risks. The ATT&CK framework categorizes this as a Database Enumeration technique, where adversaries systematically extract information from database systems. The exploitation requires minimal technical expertise and can be automated, making it a preferred target for both skilled attackers and script kiddies.
Mitigation strategies for this vulnerability should include immediate patching of the Product Catalog 8 plugin to version 1.3 or later, which contains the necessary fixes for input sanitization. Organizations should implement proper input validation and parameterized queries throughout their WordPress installations to prevent similar vulnerabilities. Network-level protections such as web application firewalls can provide additional defense-in-depth measures, while regular security audits and penetration testing should be conducted to identify and remediate similar issues. Database access controls and privilege separation should also be enforced to limit the potential impact of successful exploitation attempts.