CVE-2025-9697: 
WordPress vulnerability analysis and mitigation

The Ajax WooSearch WordPress plugin through version 1.0.0 contains a SQL injection vulnerability identified as CVE-2025-9697. The vulnerability was discovered and disclosed on September 11, 2025, by security researcher Khaled Alenazi. This security flaw affects the plugin's AJAX functionality that processes search product actions and is accessible to unauthenticated users (WPScan).

The vulnerability stems from improper sanitization and escaping of a parameter in SQL statements that are processed through an AJAX action. The flaw has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a critical severity level. The vulnerability is classified as CWE-89 (SQL Injection) and falls under the OWASP Top 10 category A1: Injection (WPScan, NVD).

The SQL injection vulnerability allows unauthenticated attackers to execute arbitrary SQL commands against the affected WordPress database. This can lead to unauthorized access to sensitive data, manipulation of database contents, and potential compromise of the entire WordPress installation. The high severity rating indicates that successful exploitation could result in a complete compromise of system confidentiality, integrity, and availability (WPScan).

Currently, there is no known fix available for this vulnerability in the Ajax WooSearch WordPress plugin. Website administrators using the affected plugin should consider removing it until a security patch is released (WPScan).