CVE-2016-20065 Overview
CVE-2016-20065 is an SQL injection vulnerability [CWE-89] in the Product Catalog 8 version 1.2 plugin for WordPress. The flaw resides in the selectedCategory parameter handled by the UpdateCategoryList AJAX action. Unauthenticated attackers can send crafted POST requests to admin-ajax.php to inject arbitrary SQL statements. Successful exploitation exposes WordPress database tables, including user records and credential hashes.
Critical Impact
Unauthenticated remote attackers can extract sensitive database contents from any WordPress site running Product Catalog 8 version 1.2 by abusing the selectedCategory parameter.
Affected Products
- WordPress Product Catalog 8 plugin, version 1.2
- WordPress installations exposing the admin-ajax.php endpoint with the plugin enabled
- Sites using the UpdateCategoryList AJAX action provided by the plugin
Discovery Timeline
- 2026-06-09 - CVE-2016-20065 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2016-20065
Vulnerability Analysis
The Product Catalog 8 plugin registers an AJAX endpoint that processes category filter requests submitted by site visitors. The handler reads the selectedCategory POST parameter and concatenates it directly into a SQL query without parameterization or sanitization. Because the AJAX action is registered for both authenticated and unauthenticated users through wp_ajax_nopriv_, no login is required to reach the vulnerable code path.
Attackers can append SQL syntax such as UNION SELECT clauses to read arbitrary tables, including wp_users. This permits exfiltration of usernames, email addresses, and password hashes. The vulnerability falls under the [CWE-89] classification for improper neutralization of special elements used in an SQL command.
Root Cause
The root cause is direct interpolation of attacker-controlled input into a database query. The plugin fails to use $wpdb->prepare() or equivalent parameter binding when constructing the query for the UpdateCategoryList action. Input validation routines do not enforce type restrictions on selectedCategory, allowing string payloads where a numeric category identifier is expected.
Attack Vector
Exploitation requires only network access to the target WordPress site. The attacker submits a POST request to /wp-admin/admin-ajax.php containing action=UpdateCategoryList and a malicious selectedCategory value. The injected payload executes within the database context used by WordPress, returning query results in the HTTP response body. Public proof-of-concept exploitation details are available through Exploit-DB #40783 and the VulnCheck Advisory on SQLi.
For technical details on the injection mechanism and request structure, refer to the published advisories rather than synthesized exploit code.
Detection Methods for CVE-2016-20065
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php containing action=UpdateCategoryList from unauthenticated sources
- Request bodies where the selectedCategory parameter contains SQL keywords such as UNION, SELECT, SLEEP, or INFORMATION_SCHEMA
- Anomalous outbound database query latency correlated with inbound AJAX requests
- Unexpected reads against the wp_users or wp_options tables outside normal admin workflows
Detection Strategies
- Inspect web server access logs for POST requests to admin-ajax.php with the UpdateCategoryList action and decode the selectedCategory parameter for SQL metacharacters
- Deploy WAF signatures that flag SQL syntax inside the selectedCategory POST field
- Monitor MySQL slow query and general logs for queries referencing the plugin's category table joined with unrelated WordPress tables
Monitoring Recommendations
- Forward WordPress access logs and database audit logs to a centralized analytics platform for correlation
- Alert on repeated 200 responses to admin-ajax.php requests containing encoded SQL operators
- Track baseline volumes of UpdateCategoryList requests and trigger on sudden spikes from single source IPs
How to Mitigate CVE-2016-20065
Immediate Actions Required
- Deactivate and remove the Product Catalog 8 plugin version 1.2 until a patched release is verified
- Block POST requests containing action=UpdateCategoryList at the WAF or reverse proxy until remediation is complete
- Rotate WordPress administrator passwords and secret keys defined in wp-config.php if exploitation is suspected
- Audit wp_users for unauthorized account creation or privilege changes
Patch Information
No vendor patch is referenced in the available advisories. Review the WordPress Plugin Product Catalog page for the current plugin status and any updated releases. If a fixed version is not published, replace the plugin with a maintained alternative.
Workarounds
- Restrict access to /wp-admin/admin-ajax.php for unauthenticated users through web server access rules where the AJAX endpoint is not required for public functionality
- Apply WAF rules that reject non-numeric values in the selectedCategory parameter
- Enforce least-privilege on the MySQL account used by WordPress to limit data accessible through a successful injection
# Example ModSecurity rule blocking SQL metacharacters in selectedCategory
SecRule ARGS:selectedCategory "@rx (?i)(union|select|sleep|information_schema|--|;)" \
"id:1020065,phase:2,deny,status:403,msg:'CVE-2016-20065 Product Catalog 8 SQLi attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
