CVE-2025-22710

High

Published: 21 January 2025

Published

21 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

EPSS Score 0.1910 95.4th percentile

Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in storeapps Smart Manager smart-manager-for-wp-e-commerce allows Blind SQL Injection.This issue affects Smart Manager: from n/a through <= 8.52.0.

Security Summary

CVE-2025-22710 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that enables Blind SQL Injection in the storeapps Smart Manager plugin for WordPress, specifically the smart-manager-for-wp-e-commerce component. This issue affects Smart Manager versions from n/a through 8.52.0 and is associated with CWE-89.

The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L), indicating it can be exploited remotely over the network with low attack complexity by high-privileged users without requiring user interaction. Exploitation changes scope and primarily impacts confidentiality at a high level, with low availability impact and no integrity impact, allowing attackers to extract sensitive data from the underlying database through blind SQL injection techniques.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/smart-manager-for-wp-e-commerce/vulnerability/wordpress-smart-manager-plugin-8-52-0-sql-injection-vulnerability?_s_id=cve provides details on this WordPress Smart Manager plugin 8.52.0 SQL injection vulnerability, including mitigation guidance.

Details

CWE(s): CWE-89

References

https://patchstack.com/database/Wordpress/Plugin/smart-manager-for-wp-e-commerce/vulnerability/wordpress-smart-manager-plugin-8-52-0-sql-injection-vulnerability?_s_id=cve
audit@patchstack.com