Platform
wordpress
Component
lumise
Fixed in
2.0.10
CVE-2026-25371 describes a critical SQL Injection vulnerability discovered in the Lumise Product Designer WordPress plugin. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 through 2.0.9, and a patch is available in version 2.0.9.
The SQL Injection vulnerability in Lumise Product Designer poses a significant risk to WordPress sites utilizing the plugin. An attacker could exploit this to bypass authentication mechanisms, extract sensitive user data (usernames, passwords, email addresses, order details, etc.), and potentially gain control of the database. The 'blind' nature of the injection means the attacker doesn't receive direct feedback from the database, requiring more sophisticated techniques to extract information, but the potential impact remains severe. Successful exploitation could lead to data breaches, website defacement, and even complete compromise of the WordPress installation.
CVE-2026-25371 was publicly disclosed on 2026-03-25. While no public proof-of-concept (PoC) code has been released at the time of writing, the severity of the vulnerability (CVSS 9.3) and the nature of blind SQL injection suggest a high probability of exploitation. It is recommended to prioritize remediation efforts. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25371 is to immediately upgrade the Lumise Product Designer plugin to version 2.0.9 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious SQL injection attempts targeting the plugin's endpoints. Specifically, look for unusual characters and patterns in user input that are commonly associated with SQL injection. Monitor WordPress error logs for any SQL-related errors that might indicate an attempted exploit. After upgrading, verify the fix by attempting a SQL injection payload against the plugin's vulnerable endpoints and confirming that it is blocked.
Update to version 2.0.9, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25371 is a critical SQL Injection vulnerability affecting the Lumise Product Designer WordPress plugin, allowing attackers to potentially extract data via blind SQL injection.
If you are using Lumise Product Designer versions 0.0.0 through 2.0.9 on your WordPress site, you are affected by this vulnerability.
Upgrade the Lumise Product Designer plugin to version 2.0.9 or later to remediate the vulnerability. Consider WAF rules as a temporary workaround.
While no public exploits are currently known, the high severity score suggests a high probability of exploitation, and proactive patching is recommended.
Refer to the Lumise Product Designer website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.