Plateforme
wordpress
Composant
lumise
Corrigé dans
2.0.10
CVE-2026-25371 describes a critical SQL Injection vulnerability discovered in the Lumise Product Designer WordPress plugin. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 through 2.0.9, and a patch is available in version 2.0.9.
The SQL Injection vulnerability in Lumise Product Designer poses a significant risk to WordPress sites utilizing the plugin. An attacker could exploit this to bypass authentication mechanisms, extract sensitive user data (usernames, passwords, email addresses, order details, etc.), and potentially gain control of the database. The 'blind' nature of the injection means the attacker doesn't receive direct feedback from the database, requiring more sophisticated techniques to extract information, but the potential impact remains severe. Successful exploitation could lead to data breaches, website defacement, and even complete compromise of the WordPress installation.
CVE-2026-25371 was publicly disclosed on 2026-03-25. While no public proof-of-concept (PoC) code has been released at the time of writing, the severity of the vulnerability (CVSS 9.3) and the nature of blind SQL injection suggest a high probability of exploitation. It is recommended to prioritize remediation efforts. The vulnerability is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Lumise Product Designer plugin, particularly those running versions 0.0.0 through 2.0.9, are at immediate risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r "lumise_product_designer" /var/www/html/wp-content/plugins/
wp plugin list | grep lumise_product_designer• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin.php?page=lumise-designer-settings # Check for unusual parametersdisclosure
Statut de l'Exploit
EPSS
0.03% (percentile 8%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-25371 is to immediately upgrade the Lumise Product Designer plugin to version 2.0.9 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious SQL injection attempts targeting the plugin's endpoints. Specifically, look for unusual characters and patterns in user input that are commonly associated with SQL injection. Monitor WordPress error logs for any SQL-related errors that might indicate an attempted exploit. After upgrading, verify the fix by attempting a SQL injection payload against the plugin's vulnerable endpoints and confirming that it is blocked.
Update to version 2.0.9, or a newer patched version
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-25371 is a critical SQL Injection vulnerability affecting the Lumise Product Designer WordPress plugin, allowing attackers to potentially extract data via blind SQL injection.
If you are using Lumise Product Designer versions 0.0.0 through 2.0.9 on your WordPress site, you are affected by this vulnerability.
Upgrade the Lumise Product Designer plugin to version 2.0.9 or later to remediate the vulnerability. Consider WAF rules as a temporary workaround.
While no public exploits are currently known, the high severity score suggests a high probability of exploitation, and proactive patching is recommended.
Refer to the Lumise Product Designer website or WordPress plugin repository for the official advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.