Cart66 Plugin for WordPress contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the shortcodeProductsTable() function in /models/Cart66Ajax.php not properly sanitizing user-supplied input passed via the ‘id’ parameter in the /wp-admin/admin-ajax.php script. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.