Description
The PagBank / PagSeguro Connect para WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'status' parameter in all versions up to, and including, 4.44.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-09-10
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The PagBank / PagSeguro Connect para WooCommerce plugin contains a SQL injection flaw caused by inadequate escaping of the 'status' parameter in the plugin’s database queries. This weakness, classified as CWE-89, enables an attacker who is authenticated with Shop Manager level access or higher to append malicious SQL statements to the existing query, potentially allowing the extraction of sensitive database information.

Affected Systems

The vulnerability affects the martins56 PagBank / PagSeguro Connect para WooCommerce WordPress plugin in all releases up to and including version 4.44.3. Any WordPress site that has this plugin installed and whose users include accounts with Shop Manager or higher privileges is potentially impacted.

Risk and Exploitability

The CVSS score of 4.9 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of widespread exploitation. The attacker must first have valid credentials with Shop Manager or better privileges; once authenticated, they can exploit the flaw by sending a crafted request containing the 'status' parameter. The vulnerability is not listed in CISA’s KEV catalog, but because it allows data exfiltration from the database, the risk to confidentiality remains significant for compromised sites.

Generated by OpenCVE AI on April 21, 2026 at 03:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PagBank / PagSeguro Connect para WooCommerce plugin to the latest available version (4.44.4 or newer) to eliminate the SQL injection flaw.
  • If an immediate upgrade is not feasible, restrict or remove Shop Manager+ user accounts from sites that use the vulnerable plugin, or uninstall the plugin entirely.
  • Deploy a Web Application Firewall rule that detects and blocks suspicious SQL payloads targeting the ‘status’ parameter to provide interim protection.

Generated by OpenCVE AI on April 21, 2026 at 03:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27519 The PagBank / PagSeguro Connect para WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'status' parameter in all versions up to, and including, 4.44.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Fri, 12 Sep 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Wed, 10 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Sep 2025 06:45:00 +0000

Type Values Removed Values Added
Description The PagBank / PagSeguro Connect para WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'status' parameter in all versions up to, and including, 4.44.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title PagBank / PagSeguro Connect para WooCommerce <= 4.44.3 - Authenticated (Shop Manager+) SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:35.745Z

Reserved: 2025-09-08T20:46:52.706Z

Link: CVE-2025-10142

cve-icon Vulnrichment

Updated: 2025-09-10T14:59:23.795Z

cve-icon NVD

Status : Deferred

Published: 2025-09-10T07:15:44.500

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10142

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:15:16Z

Weaknesses