CVE-2025-22799

High

Published: 15 January 2025

Published

15 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

EPSS Score 0.0011 29.4th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in vertim Neon Product Designer neon-product-designer-for-woocommerce allows SQL Injection.This issue affects Neon Product Designer: from n/a through <= 2.2.0.

Security Summary

CVE-2025-22799 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, affecting the Neon Product Designer for WooCommerce WordPress plugin developed by vertim. The issue impacts all versions of the plugin from n/a through 2.2.0 and was published on 2025-01-15.

The vulnerability has a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), indicating it is exploitable over the network with low attack complexity and no user interaction required. Low-privileged remote users, such as authenticated WordPress roles with minimal permissions, can exploit it to achieve high confidentiality impact by extracting sensitive data, alongside low availability impact, with the exploit affecting components beyond the vulnerable one due to the changed scope.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/neon-product-designer-for-woocommerce/vulnerability/wordpress-neon-product-designer-plugin-2-1-1-sql-injection-vulnerability?_s_id=cve.

Details

CWE(s): CWE-89

References

https://patchstack.com/database/Wordpress/Plugin/neon-product-designer-for-woocommerce/vulnerability/wordpress-neon-product-designer-plugin-2-1-1-sql-injection-vulnerability?_s_id=cve
audit@patchstack.com