Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Network-reachable low-complexity SQLi requiring a low-privilege authenticated account (PR:L); blind injection reaches data beyond the plugin boundary (S:C, C:H) with no direct integrity impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in appsbd Vitepos vitepos-lite allows Blind SQL Injection.This issue affects Vitepos: from n/a through <= 3.4.2.
AnalysisAI
Blind SQL injection in the appsbd Vitepos (vitepos-lite) WordPress point-of-sale plugin affects all versions up to and including 3.4.2, allowing an authenticated attacker with low privileges to inject crafted SQL into backend database queries and infer data via boolean/time-based responses. The CVSS 3.1 base score of 8.5 reflects a scope change (S:C) with high confidentiality impact, meaning the plugin's SQL context can reach database contents beyond its own security boundary. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated WordPress account with at least low privileges (CVSS PR:L), reflecting that the vulnerable Vitepos POS functionality is behind login rather than exposed to anonymous visitors - this is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L) indicates a network-reachable, low-complexity attack requiring some authenticated privilege (PR:L) and no user interaction, with a scope change and high confidentiality impact - a genuinely serious profile for data exposure, though integrity is rated none and availability only low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds or obtains a low-privilege authenticated account on a WordPress site running Vitepos ≤ 3.4.2 sends crafted input to a vulnerable POS parameter, embedding blind SQL injection payloads. By observing boolean or time-based differences in the plugin's responses, the attacker iteratively extracts sensitive database contents such as customer records, order data, or WordPress user password hashes. … |
| Remediation | Upgrade the Vitepos / vitepos-lite plugin to a release later than 3.4.2 once appsbd publishes a fixed version; consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/vitepos-lite/vulnerability/wordpress-vitepos-plugin-3-4-2-sql-injection-vulnerability) for the exact patched version, which was not enumerated in the available data - no vendor-released fixed version is independently confirmed here, so do not assume a version number. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all WordPress installations running Vitepos-lite versions 3.4.2 and earlier; audit and restrict database user privileges assigned to the plugin to only necessary tables and operations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new u
Unauthenticated sensitive data exposure in the Vitepos WordPress plugin (versions 3.4.2 and earlier) lets remote attacke
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43459