Search criteria

1 vulnerability by martins56

CVE-2025-10142 (GCVE-0-2025-10142)

Vulnerability from cvelistv5 – Published: 2025-09-10 06:38 – Updated: 2025-09-10 14:59
VLAI?
Title
PagBank / PagSeguro Connect para WooCommerce <= 4.44.3 - Authenticated (Shop Manager+) SQL Injection
Summary
The PagBank / PagSeguro Connect para WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'status' parameter in all versions up to, and including, 4.44.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity ?
4.9 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CWE
  • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
Vendor Product Version
martins56 PagBank / PagSeguro Connect para WooCommerce Affected: * , ≤ 4.44.3 (semver)
Create a notification for this product.
Credits
Moose Love
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-10142",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-10T14:52:05.879326Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-10T14:59:27.883Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PagBank / PagSeguro Connect para WooCommerce",
          "vendor": "martins56",
          "versions": [
            {
              "lessThanOrEqual": "4.44.3",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Moose Love"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The PagBank / PagSeguro Connect para WooCommerce plugin for WordPress is vulnerable to SQL Injection via the \u0027status\u0027 parameter in all versions up to, and including, 4.44.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for authenticated attackers, with Shop Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-10T06:38:51.593Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d774bd22-4d4e-42d4-b4ae-c833dd36aa79?source=cve"
        },
        {
          "url": "https://wordpress.org/plugins/pagbank-connect/"
        },
        {
          "url": "https://github.com/r-martins/PagBank-WooCommerce/commit/a9c3352fae0bb17b4c359ebe212bf4652e756b43#diff-b2c1b76195d79c48df3a3a809e0fa3e7ce08dc4a4ad6e9bba3c599ae1c28c2d2"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3358325%40pagbank-connect\u0026new=3358325%40pagbank-connect\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-09-09T05:25:47.000+00:00",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2025-09-09T18:11:36.000+00:00",
          "value": "Disclosed"
        }
      ],
      "title": "PagBank / PagSeguro Connect para WooCommerce \u003c= 4.44.3 - Authenticated (Shop Manager+) SQL Injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-10142",
    "datePublished": "2025-09-10T06:38:51.593Z",
    "dateReserved": "2025-09-08T20:46:52.706Z",
    "dateUpdated": "2025-09-10T14:59:27.883Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}