CVE-2025-58788

Vulnerability

Overview

The License Manager for WooCommerce plugin for WordPress, versions 3.0.12 and earlier, contains a blind SQL injection vulnerability due to improper neutralization of special elements used in an SQL command. This flaw allows an attacker to inject maliciously craft input that is not properly sanitized before being used in database queries, enabling blind SQL injection attacks [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending specially crafted requests to the plugin's endpoints. No authentication is required, making it accessible to any remote attacker. The blind nature means the attacker does not see direct error output but can infer information by observing differences in responses or timing [1].

Impact

Successful exploitation could allow a malicious actor to directly interact with the database, including but not limited to stealing sensitive information such as user credentials, license keys, and other stored data. This vulnerability is noted as being used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The vendor has released version 3.0.13 which resolves the vulnerability. Users are strongly advised to update immediately. If unable to update, users should contact their hosting provider or web developer for assistance. Patchstack users can enable auto-update for vulnerable plugins [1] plugins [1].