CVE-2025-48122 Overview
CVE-2025-48122 is a SQL injection vulnerability [CWE-89] in the Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light WordPress plugin. The flaw stems from improper neutralization of special elements in SQL commands within the excel-like-price-change-for-woocommerce-and-wp-e-commerce-light plugin. All versions through 2.4.37 are affected. Attackers can exploit the vulnerability over the network without authentication or user interaction. Successful exploitation enables unauthorized database queries against WooCommerce store backends, exposing product data, customer records, and order information.
Critical Impact
Unauthenticated attackers can inject SQL commands across a scope-changed boundary, reading database contents and degrading store availability on affected WooCommerce sites.
Affected Products
- Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light versions through 2.4.37
- WordPress sites running the excel-like-price-change-for-woocommerce-and-wp-e-commerce-light plugin
- WooCommerce and WP E-commerce stores that have installed the affected plugin
Discovery Timeline
- 2025-06-09 - CVE-2025-48122 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-48122
Vulnerability Analysis
The vulnerability is a classic SQL injection issue [CWE-89] in a WordPress e-commerce plugin used to bulk-edit product prices through a spreadsheet-style interface. User-controlled input reaches an SQL query without proper sanitization, parameterization, or use of WordPress prepared statement APIs such as $wpdb->prepare(). Because the attack vector is network-based and requires no privileges or user interaction, any internet-facing site running the affected plugin is reachable by automated scanners and exploitation tooling.
The scope-changed impact indicates that injected queries can affect resources beyond the vulnerable component itself, including data owned by other WordPress subsystems sharing the same database. The EPSS probability of 0.232% reflects current observed activity but does not diminish the underlying risk for exposed installations.
Root Cause
The root cause is the absence of proper input neutralization on parameters passed into SQL statements executed by the plugin. Rather than binding user input as parameters, the plugin concatenates or interpolates request data directly into SQL, allowing attacker-supplied syntax to alter query structure.
Attack Vector
An unauthenticated remote attacker sends crafted HTTP requests to a plugin endpoint that processes price-change or product-lookup parameters. The injected payload terminates the intended query and appends attacker-controlled clauses such as UNION SELECT statements or time-based boolean probes. Refer to the Patchstack SQL Injection Vulnerability advisory for additional technical context.
Detection Methods for CVE-2025-48122
Indicators of Compromise
- HTTP requests to plugin endpoints under /wp-content/plugins/excel-like-price-change-for-woocommerce-and-wp-e-commerce-light/ containing SQL metacharacters such as ', --, UNION, or SLEEP(
- Unexpected wp-admin/admin-ajax.php POST traffic referencing plugin actions with unusual query string parameters
- Database error messages or long response delays correlating with requests to plugin endpoints
- New or unexpected administrator accounts in the WordPress wp_users table following suspicious traffic
Detection Strategies
- Inspect web server access logs for query strings targeting the plugin path that include SQL injection patterns
- Enable WordPress and MySQL general query logging to capture anomalous queries containing UNION, INFORMATION_SCHEMA, or stacked statements
- Deploy a web application firewall (WAF) with rules tuned to detect SQL injection attempts against WordPress plugin endpoints
Monitoring Recommendations
- Alert on outbound database traffic anomalies and on queries returning unusually large result sets from WordPress hosts
- Monitor for changes to the wp_options, wp_users, and wp_usermeta tables outside of administrative workflows
- Track plugin version inventory across managed WordPress sites and flag installations at version 2.4.37 or earlier
How to Mitigate CVE-2025-48122
Immediate Actions Required
- Update the Spreadsheet Price Changer plugin to a version newer than 2.4.37 once the vendor releases a fix, per the Patchstack advisory
- Deactivate and remove the plugin on sites that do not require it until a patched build is available
- Rotate WordPress administrator passwords and database credentials if exploitation is suspected
Patch Information
At the time of NVD publication, no fixed version has been confirmed in the available references. The Patchstack advisory tracks affected releases through 2.4.37. Administrators should consult the vendor and Patchstack for the latest patched release.
Workarounds
- Restrict access to /wp-admin/ and plugin AJAX endpoints to trusted IP ranges via web server or firewall ACLs
- Deploy WAF rules that block SQL injection signatures targeting WordPress plugin parameters
- Enforce least-privilege database users for WordPress so that the application account cannot read non-WordPress schemas or execute DDL
# Example: disable the vulnerable plugin via WP-CLI until a patch is available
wp plugin deactivate excel-like-price-change-for-woocommerce-and-wp-e-commerce-light
wp plugin status excel-like-price-change-for-woocommerce-and-wp-e-commerce-light
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
