CVE-2025-22505

High

Published: 09 January 2025

Published

09 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

EPSS Score 0.0009 26.2th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crispweb NC Wishlist for Woocommerce nc-wishlist-for-woocommerce allows SQL Injection.This issue affects NC Wishlist for Woocommerce: from n/a through <= 1.0.1.

Security Summary

CVE-2025-22505 is an SQL Injection vulnerability (CWE-89), resulting from improper neutralization of special elements used in an SQL command, in the NC Wishlist for WooCommerce WordPress plugin (also referred to as Crispweb NC Wishlist for Woocommerce nc-wishlist-for-woocommerce). This issue affects all versions of the plugin up to and including 1.0.1.

The vulnerability has a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), indicating exploitation is possible over the network by low-privileged authenticated users with low attack complexity and no user interaction required. Attackers can achieve high confidentiality impact, such as unauthorized access to sensitive data in the database, along with low availability impact and a changed scope affecting additional resources.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/nc-wishlist-for-woocommerce/vulnerability/wordpress-nc-wishlist-for-woocommerce-plugin-1-0-1-sql-injection-vulnerability?_s_id=cve provides details on the vulnerability.

Details

CWE(s): CWE-89

References

https://patchstack.com/database/Wordpress/Plugin/nc-wishlist-for-woocommerce/vulnerability/wordpress-nc-wishlist-for-woocommerce-plugin-1-0-1-sql-injection-vulnerability?_s_id=cve
audit@patchstack.com