CVE-2026-25371
Received Received - Intake

Blind SQL Injection in Lumise Product Designer Before

Vulnerability report for CVE-2026-25371, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-25

Last updated on: 2026-04-23

Assigner: Patchstack

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in King-Theme Lumise Product Designer lumise allows Blind SQL Injection.This issue affects Lumise Product Designer: from n/a through < 2.0.9.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-25
Last Modified
2026-04-23
Generated
2026-07-06
AI Q&A
2026-03-25
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
king-theme lumise_product_designer to 2.0.9 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The SQL Injection vulnerability in the Lumise Product Designer plugin allows unauthenticated attackers to execute arbitrary SQL commands, potentially leading to data theft or manipulation.

Such unauthorized access and potential data breaches can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access and ensuring data integrity.

Failure to remediate this vulnerability could result in violations of these standards due to compromised confidentiality and integrity of protected data.

Executive Summary

This vulnerability is an SQL Injection issue in the King-Theme Lumise Product Designer software. Specifically, it is a Blind SQL Injection vulnerability, which means that an attacker can inject malicious SQL commands into the software's database queries without directly seeing the results. This can allow the attacker to manipulate the database in unauthorized ways.

Impact Analysis

The Blind SQL Injection vulnerability can allow attackers to access, modify, or delete data within the Lumise Product Designer's database. This can lead to unauthorized data exposure, data corruption, or disruption of the application's normal operations.

Detection Guidance

CVE-2026-25371 is a Blind SQL Injection vulnerability in the WordPress Lumise Product Designer Plugin versions prior to 2.0.9. Detection typically involves monitoring for unusual SQL query patterns or unexpected database behavior caused by injection attempts.

While specific commands are not provided in the available resources, common detection methods include using web application firewalls (WAFs) with rules to detect SQL injection payloads, analyzing web server logs for suspicious input patterns, or employing automated vulnerability scanners that test for SQL injection.

Patchstack offers an immediate mitigation rule to block attacks, which can also help in detecting exploitation attempts by logging blocked requests.

Mitigation Strategies

The primary immediate step to mitigate CVE-2026-25371 is to update the WordPress Lumise Product Designer Plugin to version 2.0.9 or later, which contains the patch for this SQL Injection vulnerability.

Until the update can be applied, Patchstack provides an immediate mitigation rule that can block attacks targeting this vulnerability.

Additionally, employing automated vulnerability management tools, including auto-updates for vulnerable plugins, can help maintain security and prevent exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25371. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart