CVE-2025-13077
Time-Based Blind SQL Injection in Payamito SMS WooCommerce Plugin
Publication date: 2025-12-13
Last updated on: 2025-12-13
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| payamito | woocommerce_sms_plugin | 1.3.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a time-based blind SQL Injection in the payamito sms woocommerce plugin for WordPress, affecting all versions up to 1.3.5. It occurs because the 'columns' parameter is not properly escaped or prepared in SQL queries, allowing unauthenticated attackers to inject additional SQL commands. This can enable attackers to extract sensitive information from the database.
How can this vulnerability impact me? :
The vulnerability can allow unauthenticated attackers to extract sensitive information from your database by injecting malicious SQL queries. This can lead to data breaches, exposure of confidential data, and potential compromise of your system's integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to perform time-based blind SQL Injection to extract sensitive information from the database. This exposure of sensitive data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'columns' parameter in requests to the Payamito SMS WooCommerce plugin for time-based blind SQL Injection. Since the vulnerability involves appending SQL queries via the 'columns' parameter, you can attempt to send specially crafted HTTP requests to the plugin's endpoints that use this parameter and observe response delays or anomalies indicating SQL injection. For example, using curl to send requests with payloads that cause time delays if injection is successful. A sample command might be: curl -X POST -d "columns=1 AND IF(SLEEP(5),1,0)" https://yourwordpresssite.com/wp-admin/admin-ajax.php?action=payamito_export If the response is delayed by about 5 seconds, it indicates a time-based blind SQL injection vulnerability. Monitoring logs for unusual or malformed requests targeting the 'columns' parameter can also help detect exploitation attempts. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Disable or restrict access to the Payamito SMS WooCommerce plugin until a patch is available. 2. Apply any available updates or patches from the plugin developer that address this vulnerability. 3. Restrict access to the plugin's AJAX endpoints, especially those handling the 'columns' parameter, to authenticated and authorized users only. 4. Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the 'columns' parameter. 5. Review and monitor logs for suspicious activity related to this plugin. 6. If possible, modify or patch the plugin code to properly sanitize and prepare SQL queries, avoiding manual string concatenation with user input. These steps help prevent exploitation while awaiting an official fix. [1, 3]