Skip to main content

Lumise Product Designer CVE-2026-25371

| EUVDEUVD-2026-15691 CRITICAL
SQL Injection (CWE-89)
2026-03-25 Patchstack GHSA-w9px-jjvp-q592
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15691
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
CRITICAL 9.3

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in King-Theme Lumise Product Designer lumise allows Blind SQL Injection.This issue affects Lumise Product Designer: from n/a through < 2.0.9.

AnalysisAI

A blind SQL injection vulnerability exists in King-Theme's Lumise Product Designer WordPress plugin, allowing unauthenticated attackers to extract sensitive data through time-based or boolean-based SQL inference techniques without direct query result visibility. The vulnerability affects all versions of Lumise Product Designer prior to 2.0.9. Attackers can exploit this to bypass authentication, enumerate database schemas, or extract user credentials and plugin configuration data.

Technical ContextAI

The vulnerability stems from improper neutralization of special SQL metacharacters (CWE-89) in user-supplied input parameters, likely within product customization or AJAX endpoints typical of design plugins. The Lumise Product Designer is a WordPress plugin (cpe:2.3:a:king-theme:lumise_product_designer) that enables users to create customizable product designs; its database queries are constructed without parameterized statements or input validation. Blind SQL injection differs from standard SQL injection in that the attacker cannot directly observe query results but instead infers data through timing delays (SLEEP() functions) or conditional logic that alters page behavior, making exploitation slower but often more difficult to detect and block with basic WAF rules.

RemediationAI

Immediately upgrade Lumise Product Designer to version 2.0.9 or later via the WordPress admin dashboard (Plugins > Updates). Verify the upgrade completes successfully and test site functionality post-patch. For sites unable to patch immediately, implement network-level protections by deploying a Web Application Firewall (WAF) configured to block SQL injection patterns (e.g., Wordfence, ModSecurity rules targeting UNION, SLEEP, and time-based payloads) and restrict direct access to wp-admin and plugin endpoints to trusted IP ranges. Enable database query logging to detect exploitation attempts. Monitor the Patchstack database and WordPress plugin repository for updates. Refer to the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/lumise/vulnerability/wordpress-lumise-product-designer-plugin-2-0-9-sql-injection-vulnerability?_s_id=cve for detailed changelog information.

Share

CVE-2026-25371 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy