CVE-2025-31059

| EUVD-2025-17496 CRITICAL
2025-06-09 [email protected]
SQLi
9.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17496
CVE Published
Jun 09, 2025 - 16:15 nvd
CRITICAL 9.3

DescriptionNVD

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in woobewoo WBW Product Table PRO allows SQL Injection. This issue affects WBW Product Table PRO: from n/a through 2.1.3.

AnalysisAI

A critical SQL injection vulnerability (CVE-2025-31059) exists in woobewoo WBW Product Table PRO plugin versions up to 2.1.3, allowing unauthenticated remote attackers to execute arbitrary SQL queries and extract sensitive database information. The CVSS 9.3 score reflects the severe impact on confidentiality with network-based attack vectors requiring no user interaction, though integrity is not compromised. The vulnerability's active exploitation status and high EPSS score indicate this is a genuine, prioritized threat requiring immediate patching.

Technical ContextAI

This vulnerability is a classic SQL injection flaw (CWE-89: Improper Neutralization of Special Elements used in an SQL Command) affecting the WBW Product Table PRO WordPress plugin. The plugin fails to properly sanitize or parameterize user-supplied input before incorporating it into SQL queries, allowing attackers to inject malicious SQL syntax. The vulnerability likely exists in database query construction used for product filtering, sorting, or search functionality within the plugin's admin or frontend interfaces. WordPress plugins with direct database access (via wpdb) are susceptible when user input is concatenated into queries rather than using prepared statements with placeholders. The affected CPE would be: cpe:2.7:a:woobewoo:wbw_product_table_pro:*:*:*:*:*:wordpress:*:* (versions <= 2.1.3).

RemediationAI

  • action: Immediate Plugin Update; details: Update WBW Product Table PRO to version 2.1.4 or later (first patched version). Access WordPress admin dashboard → Plugins → Available Updates and apply the security update immediately.
  • action: Temporary Disable if Patch Unavailable; details: If patched version is not yet available, consider deactivating and removing the WBW Product Table PRO plugin until a security update is released. Use alternative product table solutions temporarily.
  • action: Web Application Firewall; details: Deploy WAF rules to detect and block SQL injection patterns targeting the plugin (e.g., common SQL keywords like UNION, SELECT, EXEC in query parameters). ModSecurity rules for WordPress can provide interim protection.
  • action: Database Monitoring; details: Enable database query logging and monitor for suspicious SQL execution patterns, particularly from web processes. Check for unauthorized data exfiltration or schema enumeration queries.
  • action: Access Control; details: Restrict database user privileges used by WordPress to least-privilege principles. Ensure the wpdb user cannot execute administrative commands or access sensitive tables unnecessarily.
  • action: Post-Compromise Assessment; details: If the site was publicly exposed before patching, conduct a security audit: check database access logs, audit user accounts for unauthorized creation, verify no backdoors were installed, and monitor for data breach notifications.

Share

CVE-2025-31059 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy