This vulnerability in Productive Minds Productive Commerce (versions <= 1.1.40) arises from improper neutralization of special elements used in SQL commands, enabling SQL Injection attacks. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L) indicates it can be exploited remotely without authentication or user interaction, causing a complete confidentiality breach and partial availability impact. The vulnerability is publicly disclosed but lacks vendor-provided patch or mitigation details in the current data.

Successful exploitation could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the backend database, leading to full disclosure of sensitive data (confidentiality impact) and partial disruption of service (availability impact). Integrity is not impacted according to the CVSS vector. No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider restricting external access to the affected Productive Commerce instances and monitor for unusual database activity. Avoid exposing the application to untrusted networks if possible.