CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
What the vulnerability does
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes elex-bulk-edit-products-prices-attributes-for-woocommerce-basic allows SQL Injection.This issue affects ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes: from n/a through <= 1.4.9.
Explanation of Vulnerability in Simple Terms
The ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes plugin through version 1.4.9 contains a SQL injection vulnerability in its database query handling. An authenticated user with low privileges can craft malicious input to execute arbitrary SQL commands. This allows reading sensitive data from the WordPress database and potentially disrupting site availability. Update to a version newer than 1.4.9 immediately.
What an attacker can do
Read sensitive data from the WordPress database and cause service disruption through SQL injection.
Potential impact on your site
Attackers with basic site access can extract customer data, product information, and other database contents, or degrade site performance.
Conditions required to exploit
Attacker must have a low-privilege user account (e.g., subscriber or contributor role) on the WordPress site.
Key dates
External resources
Related vulnerabilities
