CVE-2025-47645

The ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes plugin for WordPress (versions up to and including 1.4.9) is vulnerable to SQL injection due to improper neutralization of special elements used in an SQL command. This flaw allows attackers to inject malicious SQL queries through input fields that are not properly sanitized.

Exploitation requires a valid subscriber-level account or higher, as the vulnerable functionality is accessible to authenticated users. An attacker can craft HTTP requests to inject arbitrary SQL statements, potentially extracting sensitive data from the database.

Successful exploitation could lead to unauthorized access to the database, including the exfiltration of customer information, user credentials, and other confidential data. The CVSS score of 8.5 indicates high severity, and the vulnerability is expected to be actively exploited in mass campaigns.

The plugin developer has released version 1.5.0, which fixes the vulnerability. Users are strongly advised to update immediately. If automatic updates are not possible, applying a mitigation rule (e.g., from Patchstack) can block exploitation attempts until the update is applied [1].