CVE-2025-22352
Published: 07 January 2025
Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes elex-bulk-edit-products-prices-attributes-for-woocommerce-basic allows Blind SQL Injection.This issue affects ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes: from n/a through <= 1.4.9.
Security Summary
CVE-2025-22352 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, that enables Blind SQL Injection in the ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes plugin for WordPress (slug: elex-bulk-edit-products-prices-attributes-for-woocommerce-basic). The vulnerability affects all versions from n/a through 1.4.9.
With a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L), the flaw can be exploited remotely over the network by high-privileged users, such as administrators, requiring low attack complexity and no user interaction. Attackers can achieve high-impact confidentiality violations, such as extracting sensitive data from the database via blind SQL techniques, alongside low availability disruption and scope change to crossed components.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/elex-bulk-edit-products-prices-attributes-for-woocommerce-basic/vulnerability/wordpress-elex-woocommerce-advanced-bulk-edit-products-prices-attributes-plugin-1-4-8-sql-injection-vulnerability?_s_id=cve, which documents the issue in versions up to 1.4.9. Security practitioners should update to a version beyond 1.4.9 where available.
Details
- CWE(s)