CVE-2025-48118
BaseFortify
Publication date: 2025-06-17
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-48118 is a high-severity SQL Injection vulnerability in the WordPress WooCommerce Partial Shipment plugin versions up to and including 3.2. It allows a malicious user with subscriber-level privileges to interact directly with the website's database by injecting malicious SQL commands. This can lead to unauthorized access or manipulation of the database, such as data theft or other harmful actions. [1]
How can this vulnerability impact me? :
This vulnerability can lead to significant impacts including unauthorized database access, data theft, and potential manipulation of sensitive information stored in the database. Because it allows an attacker to execute SQL commands, it can compromise the integrity and confidentiality of your website's data. There is a high risk of mass exploitation by automated attacks if the vulnerability is left unpatched. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands provided in the available resources. However, since the vulnerability allows SQL Injection via the WooCommerce Partial Shipment plugin (version β€3.2), monitoring for unusual database queries or suspicious HTTP requests targeting this plugin could help detect exploitation attempts. Using web application firewalls (WAF) or security tools that can detect SQL Injection patterns may assist in detection. Patchstackβs virtual patch also blocks attack attempts, which implies that enabling such protections can help detect or prevent exploitation. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying Patchstack's virtual patch (vPatch), which automatically blocks attack attempts targeting this SQL Injection vulnerability in WooCommerce Partial Shipment plugin versions up to 3.2. Since no official fix or patched version is available yet, deploying this virtual patch is the fastest and safest way to protect affected sites. Additionally, users should monitor their sites for signs of compromise and consider professional incident response if a breach is suspected. [1]