CVE-2025-24780
BaseFortify
Publication date: 2025-07-04
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a high-severity SQL Injection issue in the Printcart Web to Print Product Designer for WooCommerce plugin (versions up to 2.4.0). It allows attackers with subscriber-level privileges to manipulate SQL commands in the plugin, enabling them to interact directly with the database. This can lead to unauthorized data access or other malicious actions. The vulnerability is categorized under OWASP Top 10 A3: Injection. [1]
How can this vulnerability impact me? :
The vulnerability can allow attackers to steal sensitive data from your website's database or perform other malicious actions by exploiting the SQL Injection flaw. Since it requires only subscriber-level privileges, it can be exploited relatively easily. This can compromise the integrity and confidentiality of your data and potentially disrupt your website's availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this SQL Injection vulnerability can be done by monitoring for suspicious SQL queries or unusual database interactions related to the Printcart Web to Print Product Designer for WooCommerce plugin. Since the vulnerability requires subscriber-level privileges to exploit, reviewing logs for unexpected database access or injection patterns is recommended. However, no specific detection commands are provided. Patchstack recommends professional incident response and server-side malware scanning rather than relying on plugin-based scanners, which may be tampered with by malware. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying the Patchstack virtual patch (vPatch) which automatically blocks attack attempts targeting this vulnerability until an official patch is released. Users are strongly advised to implement this virtual patch immediately to protect their websites. Additionally, monitoring for signs of compromise and engaging professional incident response and server-side malware scanning are recommended. [1]