Description
The FluentCart plugin for WordPress is vulnerable to SQL Injection via the 'groupKey' parameter in all versions up to, and including, 1.3.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-12-03
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Patch
AI Analysis

Impact

The flaw in the FluentCart plugin is a SQL Injection weakness (CWE‑89) that permits an attacker with Administrator or higher privileges to inject arbitrary SQL commands by manipulating the 'groupKey' parameter. It originates from insufficient input sanitization and the lack of prepared statements in the query construction. By appending queries to the existing statement, an attacker may read or export sensitive data stored in the WordPress database, directly compromising customer and transaction confidentiality.

Affected Systems

The issue impacts all WordPress installations running the FluentCart plugin version 1.3.1 or earlier. The plugin, distributed under the name FluentCart – A New Era of eCommerce – Faster, Lighter, and Simpler, is affected across its released sub‑versions up to the stated upper limit.

Risk and Exploitability

The CVSS score of 4.9 indicates a moderate severity, and the EPSS score is under 1%, suggesting exploitation is unlikely at present. The vulnerability is not catalogued in CISA KEV. An attacker must first gain Administrator-level access to the WordPress site; once authenticated, they can execute arbitrary SQL, potentially obtaining full database read capability. The lack of a widely available exploit reduces immediate risk but does not eliminate the threat.

Generated by OpenCVE AI on April 22, 2026 at 20:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FluentCart plugin to version 1.3.2 or later, which removes the vulnerable code path and mitigates CWE‑89
  • If an upgrade is not immediately possible, apply a temporary patch that sanitizes the 'groupKey' input or rewrites the query to use prepared statements to address the CWE‑89 flaw
  • Restrict administrative privileges to only the users who truly require them, enforcing least‑privilege principles
  • Configure the web application firewall or security plugin to block suspicious SQL patterns in incoming requests

Generated by OpenCVE AI on April 22, 2026 at 20:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Dec 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpmanageninja
Wpmanageninja fluentcart
Vendors & Products Wordpress
Wordpress wordpress
Wpmanageninja
Wpmanageninja fluentcart

Wed, 03 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The FluentCart plugin for WordPress is vulnerable to SQL Injection via the 'groupKey' parameter in all versions up to, and including, 1.3.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title FluentCart A New Era of eCommerce <= 1.3.1 - Authenticated (Administrator+) SQL Injection via 'groupKey' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Wpmanageninja Fluentcart
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:41:09.231Z

Reserved: 2025-11-20T22:06:04.625Z

Link: CVE-2025-13495

cve-icon Vulnrichment

Updated: 2025-12-03T21:21:25.972Z

cve-icon NVD

Status : Deferred

Published: 2025-12-03T04:15:59.830

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13495

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:00:06Z

Weaknesses