Search criteria
6 vulnerabilities found for ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes by ELEXtensions
CVE-2025-47645 (GCVE-0-2025-47645)
Vulnerability from cvelistv5 – Published: 2025-07-16 11:28 – Updated: 2025-07-16 14:03
VLAI?
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes allows SQL Injection. This issue affects ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes: from n/a through 1.4.9.
Severity ?
8.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ELEXtensions | ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes |
Affected:
n/a , ≤ 1.4.9
(custom)
|
Credits
Martino Spagnuolo (r3verii) (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47645",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-16T13:56:03.744344Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T14:03:26.702Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "elex-bulk-edit-products-prices-attributes-for-woocommerce-basic",
"product": "ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes",
"vendor": "ELEXtensions",
"versions": [
{
"changes": [
{
"at": "1.5.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.4.9",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Martino Spagnuolo (r3verii) (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes allows SQL Injection.\u003c/p\u003e\u003cp\u003eThis issue affects ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes: from n/a through 1.4.9.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes allows SQL Injection. This issue affects ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes: from n/a through 1.4.9."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T11:28:03.281Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/elex-bulk-edit-products-prices-attributes-for-woocommerce-basic/vulnerability/wordpress-elex-woocommerce-advanced-bulk-edit-products-prices-attributes-plugin-1-4-9-subscriber-sql-injection-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes plugin to the latest available version (at least 1.5.0)."
}
],
"value": "Update the WordPress ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes plugin to the latest available version (at least 1.5.0)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes plugin \u003c= 1.4.9 - Subscriber+ SQL Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-47645",
"datePublished": "2025-07-16T11:28:03.281Z",
"dateReserved": "2025-05-07T10:45:05.653Z",
"dateUpdated": "2025-07-16T14:03:26.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3280 (GCVE-0-2025-3280)
Vulnerability from cvelistv5 – Published: 2025-04-24 08:23 – Updated: 2025-04-24 13:06
VLAI?
Summary
The ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes plugin for WordPress is vulnerable to SQL Injection via the 'attribute_value_filter' parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity ?
6.5 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| elextensions | ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes |
Affected:
* , ≤ 1.4.9
(semver)
|
Credits
Nguyen Tan Phat
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3280",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T12:53:05.062242Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T13:06:32.669Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes",
"vendor": "elextensions",
"versions": [
{
"lessThanOrEqual": "1.4.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Tan Phat"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes plugin for WordPress is vulnerable to SQL Injection via the \u0027attribute_value_filter\u0027 parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T08:23:51.816Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e2e4b83a-34d5-4a8a-b694-a887a46fe6bf?source=cve"
},
{
"url": "https://wordpress.org/plugins/elex-bulk-edit-products-prices-attributes-for-woocommerce-basic/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-23T19:57:32.000+00:00",
"value": "Disclosed"
}
],
"title": "ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes \u003c= 1.4.9 - Authenticated (Subscriber+) SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-3280",
"datePublished": "2025-04-24T08:23:51.816Z",
"dateReserved": "2025-04-04T14:41:11.374Z",
"dateUpdated": "2025-04-24T13:06:32.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22352 (GCVE-0-2025-22352)
Vulnerability from cvelistv5 – Published: 2025-01-07 10:48 – Updated: 2025-01-07 16:09
VLAI?
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes allows Blind SQL Injection.This issue affects ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes: from n/a through 1.4.8.
Severity ?
7.6 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ELEXtensions | ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes |
Affected:
n/a , ≤ 1.4.8
(custom)
|
Credits
Webula (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22352",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T15:51:39.005279Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:09:33.330Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "elex-bulk-edit-products-prices-attributes-for-woocommerce-basic",
"product": "ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes",
"vendor": "ELEXtensions",
"versions": [
{
"lessThanOrEqual": "1.4.8",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Webula (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes allows Blind SQL Injection.\u003c/p\u003e\u003cp\u003eThis issue affects ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes: from n/a through 1.4.8.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes allows Blind SQL Injection.This issue affects ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes: from n/a through 1.4.8."
}
],
"impacts": [
{
"capecId": "CAPEC-7",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-7 Blind SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T10:48:39.074Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/elex-bulk-edit-products-prices-attributes-for-woocommerce-basic/vulnerability/wordpress-elex-woocommerce-advanced-bulk-edit-products-prices-attributes-plugin-1-4-8-sql-injection-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes Plugin \u003c= 1.4.8 - SQL Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-22352",
"datePublished": "2025-01-07T10:48:39.074Z",
"dateReserved": "2025-01-03T13:16:49.451Z",
"dateUpdated": "2025-01-07T16:09:33.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-47645 (GCVE-0-2025-47645)
Vulnerability from nvd – Published: 2025-07-16 11:28 – Updated: 2025-07-16 14:03
VLAI?
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes allows SQL Injection. This issue affects ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes: from n/a through 1.4.9.
Severity ?
8.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ELEXtensions | ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes |
Affected:
n/a , ≤ 1.4.9
(custom)
|
Credits
Martino Spagnuolo (r3verii) (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47645",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-16T13:56:03.744344Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T14:03:26.702Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "elex-bulk-edit-products-prices-attributes-for-woocommerce-basic",
"product": "ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes",
"vendor": "ELEXtensions",
"versions": [
{
"changes": [
{
"at": "1.5.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.4.9",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Martino Spagnuolo (r3verii) (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes allows SQL Injection.\u003c/p\u003e\u003cp\u003eThis issue affects ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes: from n/a through 1.4.9.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes allows SQL Injection. This issue affects ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes: from n/a through 1.4.9."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T11:28:03.281Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/elex-bulk-edit-products-prices-attributes-for-woocommerce-basic/vulnerability/wordpress-elex-woocommerce-advanced-bulk-edit-products-prices-attributes-plugin-1-4-9-subscriber-sql-injection-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes plugin to the latest available version (at least 1.5.0)."
}
],
"value": "Update the WordPress ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes plugin to the latest available version (at least 1.5.0)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes plugin \u003c= 1.4.9 - Subscriber+ SQL Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-47645",
"datePublished": "2025-07-16T11:28:03.281Z",
"dateReserved": "2025-05-07T10:45:05.653Z",
"dateUpdated": "2025-07-16T14:03:26.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3280 (GCVE-0-2025-3280)
Vulnerability from nvd – Published: 2025-04-24 08:23 – Updated: 2025-04-24 13:06
VLAI?
Summary
The ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes plugin for WordPress is vulnerable to SQL Injection via the 'attribute_value_filter' parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity ?
6.5 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| elextensions | ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes |
Affected:
* , ≤ 1.4.9
(semver)
|
Credits
Nguyen Tan Phat
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3280",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T12:53:05.062242Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T13:06:32.669Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes",
"vendor": "elextensions",
"versions": [
{
"lessThanOrEqual": "1.4.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Tan Phat"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes plugin for WordPress is vulnerable to SQL Injection via the \u0027attribute_value_filter\u0027 parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T08:23:51.816Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e2e4b83a-34d5-4a8a-b694-a887a46fe6bf?source=cve"
},
{
"url": "https://wordpress.org/plugins/elex-bulk-edit-products-prices-attributes-for-woocommerce-basic/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-23T19:57:32.000+00:00",
"value": "Disclosed"
}
],
"title": "ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes \u003c= 1.4.9 - Authenticated (Subscriber+) SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-3280",
"datePublished": "2025-04-24T08:23:51.816Z",
"dateReserved": "2025-04-04T14:41:11.374Z",
"dateUpdated": "2025-04-24T13:06:32.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22352 (GCVE-0-2025-22352)
Vulnerability from nvd – Published: 2025-01-07 10:48 – Updated: 2025-01-07 16:09
VLAI?
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes allows Blind SQL Injection.This issue affects ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes: from n/a through 1.4.8.
Severity ?
7.6 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ELEXtensions | ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes |
Affected:
n/a , ≤ 1.4.8
(custom)
|
Credits
Webula (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22352",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T15:51:39.005279Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:09:33.330Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "elex-bulk-edit-products-prices-attributes-for-woocommerce-basic",
"product": "ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes",
"vendor": "ELEXtensions",
"versions": [
{
"lessThanOrEqual": "1.4.8",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Webula (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes allows Blind SQL Injection.\u003c/p\u003e\u003cp\u003eThis issue affects ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes: from n/a through 1.4.8.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes allows Blind SQL Injection.This issue affects ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes: from n/a through 1.4.8."
}
],
"impacts": [
{
"capecId": "CAPEC-7",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-7 Blind SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T10:48:39.074Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/elex-bulk-edit-products-prices-attributes-for-woocommerce-basic/vulnerability/wordpress-elex-woocommerce-advanced-bulk-edit-products-prices-attributes-plugin-1-4-8-sql-injection-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress ELEX WooCommerce Advanced Bulk Edit Products, Prices \u0026 Attributes Plugin \u003c= 1.4.8 - SQL Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-22352",
"datePublished": "2025-01-07T10:48:39.074Z",
"dateReserved": "2025-01-03T13:16:49.451Z",
"dateUpdated": "2025-01-07T16:09:33.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}