Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in eMagicOne eMagicOne Store Manager allows Blind SQL Injection.
This issue affects eMagicOne Store Manager: from n/a through 1.3.2.
AnalysisAI
Blind SQL injection in the eMagicOne Store Manager WordPress plugin (versions up to and including 1.3.2) allows remote unauthenticated attackers to inject malicious SQL through improperly sanitized parameters. With a CVSS 9.3 score and changed scope, successful exploitation can expose confidential database contents across the WordPress installation, though EPSS remains very low (0.03%) and no public exploit identified at time of analysis.
Technical ContextAI
The flaw is a CWE-89 SQL Injection affecting the eMagicOne Store Manager plugin for WordPress (CPE cpe:2.3:a:emagicone:emagicone_store_manager), a connector that bridges remote Store Manager desktop software with WooCommerce/WordPress stores. User-supplied input is concatenated into SQL queries without adequate neutralization of special characters, allowing attackers to alter query logic. Because responses do not return data directly, exploitation relies on blind techniques (boolean-based or time-based inference) where the attacker deduces information through behavioral differences in server responses.
RemediationAI
No vendor-released patch identified at time of analysis - the supplied references list the affected range as 'n/a through 1.3.2' without a fixed version, so administrators should monitor the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/store-manager-connector/vulnerability/wordpress-emagicone-store-manager-plugin-1-3-2-sql-injection-vulnerability) and the eMagicOne vendor site for an updated build above 1.3.2 and apply it immediately when released. Until then, deactivate the Store Manager Connector plugin on production WordPress installations where the desktop sync feature is not essential, or restrict access to the plugin's REST/AJAX endpoints with a WAF rule blocking SQL meta-characters and tautology patterns (side effect: legitimate Store Manager desktop clients may lose connectivity); additionally enforce least-privilege on the WordPress database user to limit the blast radius of any successful injection, accepting that this does not prevent confidentiality loss within accessible tables.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31749
GHSA-5ffv-prf8-5rc6