Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes elex-bulk-edit-products-prices-attributes-for-woocommerce-basic allows Blind SQL Injection.This issue affects ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes: from n/a through <= 1.4.9.
Published: 2025-01-07
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an SQL injection flaw caused by improper neutralization of special elements used in SQL commands in the ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes plugin. The flaw permits blind SQL injection, meaning an attacker can execute arbitrary SQL statements against the WordPress database even if the query result is not directly returned. This can lead to unauthorized data disclosure, modification or deletion. The weakness is identified as CWE-89.

Affected Systems

WordPress sites that have installed the ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes plugin in any version up to and including 1.4.9 are affected. The vulnerability is unrelated to specific WordPress core versions, so any site running the plugin within the affected range is vulnerable.

Risk and Exploitability

The CVSS score of 7.6 categorizes the vulnerability as high severity. An EPSS score of less than 1% indicates a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The attack is inferred to occur through the plugin’s web interface by submitting crafted requests that are passed to the database. This inference is drawn from the description of blind SQL injection and is not explicitly confirmed in the CVE data.

Generated by OpenCVE AI on June 18, 2026 at 03:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes plugin to a version newer than 1.4.9 issued by ELEXtensions.
  • If an updated version is not yet available, disable or remove the plugin entirely from the WordPress site.
  • Limit access to the bulk‑edit functionality to administrators or trusted roles using WordPress role‑based permissions.

Generated by OpenCVE AI on June 18, 2026 at 03:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2751 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes allows Blind SQL Injection.This issue affects ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes: from n/a through 1.4.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes allows Blind SQL Injection.This issue affects ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes: from n/a through 1.4.8. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes elex-bulk-edit-products-prices-attributes-for-woocommerce-basic allows Blind SQL Injection.This issue affects ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes: from n/a through <= 1.4.9.
Title WordPress ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes Plugin <= 1.4.8 - SQL Injection vulnerability WordPress ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes Plugin <= 1.4.9 - SQL Injection vulnerability
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Tue, 07 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes allows Blind SQL Injection.This issue affects ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes: from n/a through 1.4.8.
Title WordPress ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes Plugin <= 1.4.8 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T22:34:37.892Z

Reserved: 2025-01-03T13:16:49.451Z

Link: CVE-2025-22352

cve-icon Vulnrichment

Updated: 2025-01-07T15:51:40.591Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T11:15:18.527

Modified: 2026-06-17T08:46:42.173

Link: CVE-2025-22352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T03:15:04Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')