Platform
wordpress
Component
emerce-core
Fixed in
1.8.1
CVE-2025-69366 describes a Blind SQL Injection vulnerability discovered in Emerce Core, a WordPress plugin. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized data access and manipulation. The vulnerability affects versions from 0.0.0 up to and including 1.8. A patch is expected to be released by the vendor.
The SQL Injection vulnerability in Emerce Core poses a significant risk. An attacker could leverage this to bypass authentication mechanisms, directly accessing and modifying sensitive data stored within the database. This includes user credentials, customer information, and potentially even financial data. Successful exploitation could lead to complete compromise of the WordPress site and its associated data. The blind nature of the injection means the attacker doesn't see immediate results, requiring more sophisticated techniques to extract data, but the potential impact remains severe. This vulnerability shares characteristics with other SQL injection flaws, where attackers can manipulate database queries to gain unauthorized access.
CVE-2025-69366 was published on 2026-02-20. The vulnerability's severity is rated as CRITICAL (CVSS 9.3). Currently, there are no known public Proof-of-Concept (PoC) exploits available, but the blind SQL injection nature of the vulnerability means exploitation is possible with sufficient effort. It is not currently listed on the CISA KEV catalog. Active campaigns targeting this vulnerability are not yet confirmed.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
While a direct patch is pending, several mitigation steps can reduce the risk. Implement a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL Injection attempts targeting Emerce Core. Strengthen input validation on all user-supplied data processed by the plugin, ensuring proper sanitization and escaping of special characters. Consider temporarily disabling the Emerce Core plugin if feasible, or restricting access to sensitive areas of the website. Monitor database logs for suspicious SQL queries that might indicate an ongoing attack. After a patch is released, upgrade Emerce Core to the latest version immediately and verify the fix by attempting a SQL injection attack on the vulnerable endpoints.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-69366 is a CRITICAL SQL Injection vulnerability affecting Emerce Core versions 0.0.0–1.8, allowing attackers to potentially bypass authentication and access sensitive data.
If you are using Emerce Core versions 0.0.0 through 1.8, you are potentially affected by this vulnerability. Check your plugin version and apply mitigations immediately.
Upgrade to the latest patched version of Emerce Core as soon as it becomes available. Until then, implement WAF rules and strengthen input validation.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and blind SQL injection nature suggest potential for exploitation. Monitor your systems closely.
Refer to the official Emerce Core website and WordPress plugin repository for updates and advisories regarding CVE-2025-69366.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.