Cybersecurity Vulnerabilities

CVE-2025-12411: Critical SQL Injection Flaw Plagues Premmerce Wholesale Pricing Plugin

November 18, 2025 - By 

Published: 2025-11-18

Overview

CVE-2025-12411 is a high-severity SQL Injection vulnerability affecting the Premmerce Wholesale Pricing for WooCommerce plugin for WordPress, specifically versions up to and including 1.1.10. This vulnerability allows authenticated attackers with subscriber-level access or higher to execute arbitrary SQL queries, potentially leading to data breaches and website compromise. The vulnerability stems from insufficient input sanitization and inadequate SQL query preparation.

Technical Details

The vulnerability resides in the plugin’s handling of the ‘ID’ parameter within the admin-post.php script. Specifically, the premmerce_update_price_type action and the ‘price_type’ parameter of the “premmerce_delete_price_type” action are vulnerable. Lack of proper escaping of the ‘ID’ parameter allows attackers to inject malicious SQL code. This can be used to extract sensitive information from the database or modify data, such as price type display names, leading to cosmetic corruption of the admin interface. The vulnerable code can be traced to the following files:

CVSS Analysis

The CVSS score for CVE-2025-12411 is 7.1 (HIGH).

  • Attack Vector: Network (AV:N)
  • Attack Complexity: Low (AC:L)
  • Privileges Required: Low (PR:L)
  • User Interaction: None (UI:N)
  • Scope: Unchanged (S:U)
  • Confidentiality Impact: High (C:H)
  • Integrity Impact: Low (I:L)
  • Availability Impact: None (A:N)

Possible Impact

Successful exploitation of this vulnerability could have severe consequences, including:

  • Data Breach: Extraction of sensitive information, such as user credentials, customer data, and order details.
  • Website Defacement: Modification of website content, potentially damaging the website’s reputation.
  • Account Takeover: Gaining unauthorized access to administrator accounts.
  • Malicious Code Injection: Inserting malicious code into the database that could be executed by the website.
  • Cosmetic changes in admin interface Modification of the price type display names.

Mitigation and Patch Steps

The most effective mitigation is to immediately update the Premmerce Wholesale Pricing for WooCommerce plugin to the latest available version that addresses this vulnerability. If an update is not yet available, consider temporarily disabling the plugin until a patched version is released. Consider also implementing a Web Application Firewall (WAF) with rulesets designed to protect against SQL Injection attacks as a temporary measure.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *