CVE-2025-9697: 
WordPress vulnerability analysis and mitigation

The Ajax WooSearch WordPress plugin through version 1.0.0 contains a critical SQL injection vulnerability identified as CVE-2025-9697. The vulnerability was discovered by Khaled Alenazi (Nxploited) and publicly disclosed on September 11, 2025. The issue affects unauthenticated users who can exploit an AJAX action due to improper parameter sanitization and escaping in SQL statements (WPScan, NVD).

The vulnerability stems from inadequate sanitization and escaping of parameters in SQL statements accessed through an AJAX action. The affected endpoint is 'wp-admin/admin-ajax.php' with the action 'woossearchproduct_action'. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high severity across confidentiality, integrity, and availability impacts (CISA-ADP).

The SQL injection vulnerability allows unauthenticated attackers to execute arbitrary SQL commands against the database. This can lead to unauthorized access to sensitive data, manipulation of database contents, and potential complete compromise of the WordPress installation (WPScan).

Currently, there is no known fix available for this vulnerability. Website administrators running the affected Ajax WooSearch plugin should consider disabling the plugin until a security patch is released (WPScan).