EIP-2026-114138
PRE-CVEWordPress Plugin Ultimate Product Catalog 3.9.8 - do_shortcode via ajax Blind SQL Injection
Title source: legacyExploitation Summary
EIP tracks 1 public exploit for EIP-2026-114138. PoCs published by i0akiN SEC-LABORATORY.
AI-analyzed exploit summary This exploit demonstrates an unauthenticated blind SQL injection vulnerability in WordPress Ultimate Product Catalog <= 3.9.8. The vulnerability arises from unsanitized input in the `id` parameter passed via AJAX to the `UPCP_Filter_Catalogue` function, which then executes a vulnerable shortcode.
Description
WordPress Plugin Ultimate Product Catalog 3.9.8 - do_shortcode via ajax Blind SQL Injection
Exploits (1)
This exploit demonstrates an unauthenticated blind SQL injection vulnerability in WordPress Ultimate Product Catalog <= 3.9.8. The vulnerability arises from unsanitized input in the `id` parameter passed via AJAX to the `UPCP_Filter_Catalogue` function, which then executes a vulnerable shortcode.