Cybersecurity Vulnerabilities

CVE-2025-13495: Urgent Alert – SQL Injection Flaw in FluentCart WordPress Plugin

December 3, 2025 - By 

Overview

CVE-2025-13495 identifies a critical SQL Injection vulnerability present in the FluentCart plugin for WordPress. This flaw affects all versions of the plugin up to and including version 1.3.1. An authenticated attacker with Administrator-level privileges or higher can exploit this vulnerability to inject malicious SQL queries, potentially leading to sensitive data extraction from the WordPress database.

Technical Details

The vulnerability resides in the handling of the groupKey parameter within the RevenueReportService.php file. Insufficient input sanitization and a lack of proper SQL query preparation allows malicious users to append arbitrary SQL code to existing database queries. The vulnerable code is located around line 76 of RevenueReportService.php.

Specifically, the groupKey parameter is passed directly into the SQL query without adequate escaping. This allows an attacker to craft a malicious request containing SQL code that will be executed by the database server with the permissions of the WordPress database user. This enables attackers to potentially read, modify, or delete data within the WordPress database.

Affected File (Prior to Patch): fluent-cart/app/Services/Report/RevenueReportService.php

CVSS Analysis

  • Severity: MEDIUM
  • CVSS Score: 4.9

A CVSS score of 4.9 indicates a medium severity vulnerability. While it requires Administrator-level access for exploitation, the potential impact of unauthorized data access makes it a significant security risk. The attack vector is network-based (AV:N), requires authentication (AU:S), and has a moderate impact on confidentiality (C:L), integrity (I:N), and availability (A:N).

Possible Impact

Successful exploitation of this SQL injection vulnerability can have severe consequences, including:

  • Data Breach: Access to sensitive customer data, including names, addresses, email addresses, and potentially payment information.
  • Account Takeover: The ability to compromise administrator accounts, granting complete control over the WordPress site.
  • Data Manipulation: Modification or deletion of critical data, leading to disruption of service or data corruption.
  • Malware Injection: The potential to inject malicious code into the database, which could be executed on the server or client-side, leading to further compromise.

Mitigation and Patch Steps

The vulnerability has been addressed in FluentCart version 1.3.2. It is strongly recommended that all users of the FluentCart plugin upgrade to version 1.3.2 or later immediately.

The patch likely involves proper sanitization and escaping of the groupKey parameter before it is used in the SQL query. Version 1.3.2 uses the ReportHelper.php to sanitize the input properly.

To update, follow these steps:

  1. Log in to your WordPress admin dashboard.
  2. Navigate to “Plugins” -> “Installed Plugins.”
  3. Locate the FluentCart plugin.
  4. Click the “Update Now” button (if available). If not, consider deactivating and reactivating the plugin, or manually update it by deleting it and uploading the newest version.

If an immediate update is not possible, consider temporarily disabling the FluentCart plugin until the update can be applied.

References

Vulnerable Code (Version 1.3.0)
Vulnerable Code (Trunk)
Patch Details (Version 1.3.2)
Wordfence Threat Intelligence Report

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *