Plateforme
wordpress
Composant
woo-mailerlite
Corrigé dans
3.1.3
CVE-2025-67945 describes a SQL Injection vulnerability discovered in the MailerLite – WooCommerce integration plugin for WordPress. This flaw allows attackers to inject malicious SQL code, potentially compromising sensitive data stored within the WooCommerce database. The vulnerability impacts versions from 0.0.0 up to and including 3.1.2. A patch has been released in version 3.1.3.
Successful exploitation of this SQL Injection vulnerability could grant an attacker unauthorized access to the WooCommerce database. This could lead to the exfiltration of sensitive customer data, including personal information, order details, and payment information. Furthermore, an attacker could potentially modify or delete data, disrupt WooCommerce operations, or even gain control of the entire WordPress site. The impact is particularly severe given the prevalence of WooCommerce and the sensitivity of the data it handles. While no specific real-world exploitation has been publicly reported, the severity of SQL Injection vulnerabilities generally makes them high-priority targets.
CVE-2025-67945 is not currently listed on the CISA KEV catalog. The EPSS score is likely to be medium to high, given the CRITICAL CVSS score and the potential for significant data compromise. Public proof-of-concept exploits are not yet widely available, but the vulnerability's nature makes it a likely target for exploitation. The vulnerability was publicly disclosed on 2026-01-22.
Websites utilizing the MailerLite – WooCommerce integration plugin, particularly those running older versions (0.0.0–3.1.2), are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise on one site could potentially impact others. Sites with weak database user permissions also face increased risk.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/woo-mailerlite/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/woo-mailerlite/ | grep SQL• wordpress / composer / npm:
wp plugin list --status=active | grep woo-mailerlitedisclosure
Statut de l'Exploit
EPSS
0.05% (percentile 16%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-67945 is to immediately upgrade the MailerLite – WooCommerce integration plugin to version 3.1.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious SQL injection attempts targeting the vulnerable endpoints. Specifically, look for patterns associated with SQL injection payloads in incoming requests. Additionally, review and restrict database user permissions to limit the potential damage from a successful attack. After upgrading, confirm the fix by attempting a SQL injection attack on the vulnerable endpoint and verifying that it is properly blocked.
Update to version 3.1.3, or a newer patched version
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-67945 is a critical SQL Injection vulnerability affecting the MailerLite – WooCommerce integration plugin for WordPress, allowing attackers to inject malicious SQL code.
You are affected if you are using MailerLite – WooCommerce integration versions 0.0.0 through 3.1.2. Upgrade to 3.1.3 or later to mitigate the risk.
Upgrade the MailerLite – WooCommerce integration plugin to version 3.1.3 or later. Consider a WAF as a temporary workaround if upgrading is not immediately possible.
While no confirmed active exploitation has been publicly reported, the vulnerability's severity makes it a likely target for attackers.
Refer to the official MailerLite security advisory for details and updates regarding CVE-2025-67945.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.