A critical SQL injection vulnerability has been discovered in the Ultimate Product Catalogue plugin, potentially exposing websites to data theft and other malicious activities. This vulnerability, reported by Ilyase Dehy, allows attackers to execute arbitrary SQL commands, leading to potential compromise of sensitive data and system integrity. The vulnerability was promptly patched in version 7.7 of the Ultimate Product Catalogue plugin, emphasizing the importance of updating to the latest version to ensure WordPress security and protect against malware.

The SQL injection vulnerability occurs within the UPCP_Product_Table class, enabling attackers to inject arbitrary SQL commands into the class and execute them on the database.


With a CVSS 3.1 score of 7.6, this vulnerability is classified as high severity. Its likelihood of exploitation poses significant risks to affected systems.

Affected Versions:

The Ultimate Product Catalogue versions 7.6 and earlier are vulnerable to this exploit.


Exploiting this vulnerability grants attackers several dangerous capabilities, including

• Reading or altering sensitive data stored in the database

• Creating or deleting arbitrary database records

• Executing unauthorized commands on the affected system


For users running any version of the affected Ultimate Product Catalogue plugin, it is imperative to update to version 7.7 without delay. This latest release contains a comprehensive fix for the SQL injection vulnerability, ensuring your WordPress site is protected from potential attacks.