CVE-2025-30765
Published: 27 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-30765 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, enabling Blind SQL Injection, in the WPPOOL FlexStock stock-sync-with-google-sheet-for-woocommerce WordPress plugin. This issue affects FlexStock versions from n/a through 3.13.1. The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L) and is associated with CWE-89. It was published on 2025-03-27.
Exploitation requires high privileges (PR:H), allowing authenticated attackers with such access to target the vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation results in high confidentiality impact (C:H) through data extraction via blind SQL injection, low availability impact (A:L), no integrity impact (I:N), and a changed scope (S:C), potentially compromising sensitive database information.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/stock-sync-with-google-sheet-for-woocommerce/vulnerability/wordpress-flexstock-3-13-1-sql-injection-vulnerability?_s_id=cve provides further details on the vulnerability.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in a public-facing WordPress plugin directly enables exploitation of the web application for database data extraction.