CVE-2017-12199

Name of the Vulnerable Software and Affected Versions Etoile Ultimate Product Catalog plugin version 4.2.11

Description The issue concerns SQL injection in the Etoile Ultimate Product Catalog plugin for WordPress. Specifically, the vulnerability is triggered by various POST actions in the wp-admin/admin-ajax.php endpoint, including catalogue update order list-item, video update order video-item, image update order list-item, tag group update order list item, category products update order category-product-item, custom fields update order field-item, categories update order category-item, subcategories update order subcategory-item, and tags update order tag-list-item.

Recommendations For Etoile Ultimate Product Catalog plugin version 4.2.11, update the plugin to a version that addresses the SQL injection issue, as using outdated versions poses a significant risk. As a temporary workaround, consider restricting access to the wp-admin/admin-ajax.php endpoint to minimize the risk of exploitation.