Scan free
CRITICALCVE-2026-25371CVSS 9.3

CVE-2026-25371: SQL Injection in Lumise Product Designer

Platform

wordpress

Component

lumise

Fixed in

2.0.10

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-25371 describes a critical SQL Injection vulnerability discovered in the Lumise Product Designer WordPress plugin. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 through 2.0.9, and a patch is available in version 2.0.9.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The SQL Injection vulnerability in Lumise Product Designer poses a significant risk to WordPress sites utilizing the plugin. An attacker could exploit this to bypass authentication mechanisms, extract sensitive user data (usernames, passwords, email addresses, order details, etc.), and potentially gain control of the database. The 'blind' nature of the injection means the attacker doesn't receive direct feedback from the database, requiring more sophisticated techniques to extract information, but the potential impact remains severe. Successful exploitation could lead to data breaches, website defacement, and even complete compromise of the WordPress installation.

Exploitation Context

CVE-2026-25371 was publicly disclosed on 2026-03-25. While no public proof-of-concept (PoC) code has been released at the time of writing, the severity of the vulnerability (CVSS 9.3) and the nature of blind SQL injection suggest a high probability of exploitation. It is recommended to prioritize remediation efforts. The vulnerability is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.03% (8% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L9.3CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentlumise
Vendorwordfence
Affected rangeFixed in
0.0.0 – 2.0.92.0.10

Weakness Classification (CWE)

CWE-89

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-25371 is to immediately upgrade the Lumise Product Designer plugin to version 2.0.9 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious SQL injection attempts targeting the plugin's endpoints. Specifically, look for unusual characters and patterns in user input that are commonly associated with SQL injection. Monitor WordPress error logs for any SQL-related errors that might indicate an attempted exploit. After upgrading, verify the fix by attempting a SQL injection payload against the plugin's vulnerable endpoints and confirming that it is blocked.

How to fix

Update to version 2.0.9, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-25371 — SQL Injection in Lumise Product Designer?

CVE-2026-25371 is a critical SQL Injection vulnerability affecting the Lumise Product Designer WordPress plugin, allowing attackers to potentially extract data via blind SQL injection.

Am I affected by CVE-2026-25371 in Lumise Product Designer?

If you are using Lumise Product Designer versions 0.0.0 through 2.0.9 on your WordPress site, you are affected by this vulnerability.

How do I fix CVE-2026-25371 in Lumise Product Designer?

Upgrade the Lumise Product Designer plugin to version 2.0.9 or later to remediate the vulnerability. Consider WAF rules as a temporary workaround.

Is CVE-2026-25371 being actively exploited?

While no public exploits are currently known, the high severity score suggests a high probability of exploitation, and proactive patching is recommended.

Where can I find the official Lumise advisory for CVE-2026-25371?

Refer to the Lumise Product Designer website or WordPress plugin repository for the official advisory and update information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs