CVE-2025-22713

Vulnerability

Overview

CVE-2025-22713 is an SQL injection vulnerability inection vulnerability in the WordPress plugin WooCommerce Orders & Customers Exporter (versions up to and including 5.4). The plugin fails to properly neutralize special elements used in SQL commands, allowing an attacker to inject malicious SQL queries. This flaw is classified as a classic SQL injection (CWE-89) and has been assigned a CVSS v3 score of 8.5 (High) [1].

Exploitation

The vulnerability can be exploited without authentication, making it accessible to any remote attacker. By crafting specially crafted input to the plugin's export functionality, an attacker can inject arbitrary SQL commands into the database query. The attack does not require any special privileges or user interaction, and it can be performed over HTTP [1].

Impact

Successful exploitation allows an attacker to directly interact with the underlying WordPress database. This could lead to the theft of sensitive information, including user credentials, personal data, and order details. Given the plugin's widespread use, this vulnerability is considered highly dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The vendor has released a patched version; users are strongly advised to update the plugin immediately. If an update is not possible, it is recommended to contact the hosting provider or a web developer for web developer assistance to implement temporary workarounds or disable the plugin until a fix can be applied [1].