Platform
wordpress
Component
sync-wc-google
Fixed in
8.6.1
CVE-2025-31599 describes a SQL Injection vulnerability discovered in N-Media Bulk Product Sync, a WordPress plugin designed to synchronize product data. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 up to and including 8.6. A patch has been released in version 8.6.1.
Successful exploitation of this SQL Injection vulnerability could grant an attacker complete control over the underlying database. This includes the ability to read, modify, or delete sensitive data such as customer information, product details, order history, and administrative credentials. Lateral movement within the WordPress environment is possible if the attacker can leverage the compromised database to gain access to other plugins or themes. The blast radius extends to any data stored within the database managed by the Bulk Product Sync plugin, potentially impacting the entire e-commerce operation.
This vulnerability was publicly disclosed on 2025-04-11. There is currently no indication of active exploitation campaigns targeting this specific vulnerability. The severity is considered CRITICAL due to the potential for complete database compromise. No public proof-of-concept (POC) code has been released as of this writing, but the nature of SQL Injection vulnerabilities makes it likely that one will emerge.
Exploit Status
EPSS
0.23% (46% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade to version 8.6.1 of N-Media Bulk Product Sync. If upgrading is not feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent further exploitation. While not a complete solution, implementing a Web Application Firewall (WAF) with SQL Injection protection rules can provide an additional layer of defense. Regularly review database access logs for suspicious activity and consider implementing stricter database user permissions to limit the impact of a potential breach. After upgrade, confirm by attempting a product synchronization and verifying that no SQL errors are logged.
Update the Bulk Product Sync plugin to the latest available version to mitigate the SQL Injection vulnerability. Refer to the plugin page on WordPress.org for update instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-31599 is a critical SQL Injection vulnerability affecting N-Media Bulk Product Sync versions 0.0.0–8.6, allowing attackers to inject malicious SQL code and potentially access sensitive data.
If you are using N-Media Bulk Product Sync versions 0.0.0 through 8.6, you are vulnerable. Upgrade to 8.6.1 to mitigate the risk.
Upgrade N-Media Bulk Product Sync to version 8.6.1. If immediate upgrade is not possible, disable the plugin and implement WAF rules.
There is currently no confirmed active exploitation, but the vulnerability's severity makes exploitation likely. Monitor your systems closely.
Refer to the N-Media website and WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.