WordPress Neon Product Designer Plugin <= 2.2.0 - Unauthenticated SQL Injection vulnerability
翻译中…平台
wordpress
组件
neon-product-designer-for-woocommerce
修复版本
2.2.1
CVE-2025-32565 identifies a SQL Injection vulnerability within the Neon Product Designer for WooCommerce plugin. This flaw allows attackers to inject malicious SQL code, potentially compromising sensitive data and system integrity. The vulnerability impacts versions from 0.0.0 through 2.2.0. A patch is available in version 2.1.2.
检测此 CVE 是否影响你的项目
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
影响与攻击场景翻译中…
Successful exploitation of this SQL Injection vulnerability could grant an attacker unauthorized access to the WooCommerce database. This could lead to the exfiltration of sensitive customer data, including usernames, passwords, addresses, and payment information. Furthermore, an attacker could potentially modify product data, disrupt order processing, or even gain control of the entire WordPress site. The impact is particularly severe given the plugin's role in customizing product design, often involving user-supplied data that is directly incorporated into database queries without proper sanitization. This vulnerability shares similarities with other SQL Injection flaws where attackers leverage unsanitized user input to manipulate database queries.
利用背景翻译中…
CVE-2025-32565 was publicly disclosed on 2025-04-11. The vulnerability's severity is considered CRITICAL due to the potential for widespread data compromise. As of this writing, there are no publicly available proof-of-concept exploits, but the ease of SQL Injection exploitation suggests a high probability of exploitation if left unpatched. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
哪些人处于风险中翻译中…
Websites utilizing the Neon Product Designer for WooCommerce plugin, particularly those running older versions (0.0.0–2.2.0), are at significant risk. Shared hosting environments where multiple WordPress sites share the same database are especially vulnerable, as a compromise of one site could potentially impact others. Sites with custom product design configurations relying heavily on user-supplied data are also at increased risk.
检测步骤翻译中…
• wordpress / composer / npm:
grep -r "neon-product-designer-for-woocommerce" /var/www/html/wp-content/plugins/
wp plugin list | grep neon-product-designer-for-woocommerce• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/neon-product-designer-for-woocommerce/ | grep -i 'SQL Injection'攻击时间线
- Disclosure
disclosure
威胁情报
漏洞利用状态
EPSS
0.23% (46% 百分位)
CISA SSVC
CVSS 向量
这些指标意味着什么?
- Attack Vector
- 网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
- Attack Complexity
- 低 — 无需特殊条件,可以稳定地利用漏洞。
- Privileges Required
- 无 — 无需认证,无需凭证即可利用。
- User Interaction
- 无 — 攻击自动且无声,受害者无需任何操作。
- Scope
- 已改变 — 攻击可以超出脆弱组件,影响其他系统。
- Confidentiality
- 高 — 完全丧失机密性,攻击者可读取所有数据。
- Integrity
- 无 — 无完整性影响。
- Availability
- 低 — 部分或间歇性拒绝服务。
受影响的软件
软件包信息
- 活跃安装数
- 50
- 插件评分
- 3.0
- 需要WordPress版本
- 5.0+
- 兼容至
- 6.8.5
- 需要PHP版本
- 7.0+
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
- 修改日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The primary mitigation for CVE-2025-32565 is to immediately upgrade the Neon Product Designer for WooCommerce plugin to version 2.1.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious SQL injection attempts targeting the plugin's endpoints. Additionally, review and harden database user permissions to limit the impact of a successful attack. Regularly scan the WordPress installation for vulnerabilities using a reputable security plugin.
修复方法翻译中…
Actualice el plugin Neon Product Designer for WooCommerce a la última versión disponible para solucionar la vulnerabilidad de inyección SQL. Verifique la página del plugin en WordPress.org para obtener la versión más reciente y las instrucciones de actualización. Realice una copia de seguridad completa de su sitio web antes de realizar cualquier actualización.
CVE 安全通讯
漏洞分析和关键警报直接发送到您的邮箱。
常见问题翻译中…
What is CVE-2025-32565 — SQL Injection in Neon Product Designer?
CVE-2025-32565 is a critical SQL Injection vulnerability affecting Neon Product Designer for WooCommerce versions 0.0.0–2.2.0, allowing attackers to inject malicious SQL code.
Am I affected by CVE-2025-32565 in Neon Product Designer?
If you are using Neon Product Designer for WooCommerce versions 0.0.0 through 2.2.0, you are affected by this vulnerability and should upgrade immediately.
How do I fix CVE-2025-32565 in Neon Product Designer?
Upgrade Neon Product Designer for WooCommerce to version 2.1.2 or later to resolve the SQL Injection vulnerability. Consider WAF rules as an interim measure.
Is CVE-2025-32565 being actively exploited?
While no public exploits are currently available, the ease of SQL Injection exploitation suggests a high probability of exploitation if left unpatched.
Where can I find the official Neon Product Designer advisory for CVE-2025-32565?
Refer to the official Neon Product Designer website or WordPress plugin repository for the latest advisory and update information.