Platform
wordpress
Component
wp-ticketbai
Fixed in
3.19.1
CVE-2025-24767 describes a critical SQL Injection vulnerability discovered in the TicketBAI Facturas para WooCommerce plugin. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 up to and including 3.19. A patch is available in version 3.19.1.
The SQL Injection vulnerability in TicketBAI Facturas para WooCommerce allows an attacker to bypass security measures and directly interact with the underlying database. Due to the 'blind' nature of the injection, attackers must infer data through repeated queries, making exploitation potentially time-consuming but still highly impactful. Successful exploitation could lead to the exfiltration of sensitive customer data, order information, financial details, and potentially even administrative credentials stored within the WooCommerce database. This could result in significant data breaches, financial losses, and reputational damage for affected e-commerce sites. The blind nature of the attack means it may be difficult to detect without specific monitoring in place.
CVE-2025-24767 was publicly disclosed on 2025-06-09. The vulnerability's blind SQL injection nature suggests a potentially slower exploitation process, but the CRITICAL CVSS score indicates significant risk. No public proof-of-concept exploits have been observed as of this writing, but the vulnerability's ease of exploitation makes it a likely target for automated scanning and exploitation tools. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-24767 is to immediately upgrade the TicketBAI Facturas para WooCommerce plugin to version 3.19.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious SQL injection attempts targeting the vulnerable endpoints. Specifically, look for unusual characters and patterns in user input that are commonly associated with SQL injection attacks. Regularly review and sanitize all user inputs to prevent future vulnerabilities. Monitor database logs for suspicious activity, such as unusual query patterns or errors.
Update the TicketBAI Facturas para WooCommerce plugin to the latest available version to mitigate the blind SQL injection vulnerability. Check for updates in the WordPress repository or on the developer's website. Implement additional security measures, such as user input validation and sanitization, to prevent future vulnerabilities.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-24767 is a critical SQL Injection vulnerability affecting the TicketBAI Facturas para WooCommerce plugin, allowing attackers to potentially extract sensitive data through blind SQL injection.
If you are using TicketBAI Facturas para WooCommerce versions 0.0.0 through 3.19, you are affected by this vulnerability. Upgrade to 3.19.1 or later to mitigate the risk.
The recommended fix is to upgrade the TicketBAI Facturas para WooCommerce plugin to version 3.19.1 or later. If immediate upgrade is not possible, implement a WAF rule to filter malicious SQL injection attempts.
While no public exploits have been confirmed, the vulnerability's severity and ease of exploitation suggest it is a potential target for attackers. Continuous monitoring is advised.
Refer to the official TicketBAI website and WooCommerce plugin repository for the latest advisory and update information regarding CVE-2025-24767.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.