CVE-2025-26875
Published: 15 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26875 is an SQL injection vulnerability (CWE-89) stemming from improper neutralization of special elements used in an SQL command. It affects the Multiple Shipping And Billing Address For Woocommerce WordPress plugin by silverplugins217, with the flaw present in all versions from n/a through 1.3 inclusive.
The vulnerability carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L), marking it as critical. Unauthenticated attackers (PR:N) can exploit it remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables high-impact confidentiality breaches (C:H), such as unauthorized access to sensitive data in the database, alongside low availability disruption (A:L) and no integrity impact (I:N), with a scope change (S:C) potentially affecting broader system components.
Mitigation guidance is available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/different-shipping-and-billing-address-for-woocommerce/vulnerability/wordpress-multiple-shipping-and-billing-address-for-woocommerce-plugin-1-3-sql-injection-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated remote SQL injection in a public-facing WordPress plugin directly enables initial access via exploitation of public-facing applications.