CVE-2025-9697
Published: 02 October 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-9697 is a SQL injection vulnerability affecting the Ajax WooSearch WordPress plugin through version 1.0.0. The flaw arises because the plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action that is available to unauthenticated users. Published on 2025-10-02, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. By sending crafted requests to the exposed AJAX endpoint, they can inject malicious SQL payloads, potentially achieving high-impact effects such as unauthorized data extraction, modification, or deletion from the underlying database.
Mitigation details are available in advisories from WPScan, referenced at https://wpscan.com/vulnerability/38939152-e54e-4f8f-996b-592de195570d/.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated SQL injection in a public-facing WordPress plugin directly enables T1190 (Exploit Public-Facing Application) and facilitates T1213.006 (Data from Information Repositories: Databases) via malicious SQL payloads for data extraction, modification, or deletion.