Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpopal GG Bought Together for WooCommerce gg-bought-together allows SQL Injection.This issue affects GG Bought Together for WooCommerce: from n/a through <= 1.0.2.
Published: 2025-06-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of special elements in SQL commands allows an attacker to inject arbitrary SQL queries into the database. This flaw can lead to unauthorized data disclosure or manipulation, compromising the confidentiality and integrity of the site's data. The weakness stems from a classic payload injection vulnerability (CWE-89).

Affected Systems

WordPress sites using the GG Bought Together for WooCommerce plugin by wpopal, versions up to and including 1.0.2 are vulnerable. No other product versions are known to be affected.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity. Although the EPSS score is less than 1%, suggesting low current exploitation probability, the vulnerability remains unlisted in the CISA KEV catalog. Based on the description, the likely attack vector is via crafted POST requests or manipulated URLs that target the plugin’s input handling code, requiring only access to the plugin’s input handling context. Given the critical score and the irreversible nature of SQL injection, the risk requires urgent attention.

Generated by OpenCVE AI on May 2, 2026 at 01:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GG Bought Together for WooCommerce to version 1.0.3 or later to remove the vulnerable code.
  • If an upgrade is not possible immediately, disable or remove the plugin until the patch is applied.
  • Implement input validation and stringent output escaping for all plugin data inputs to prevent future injection attempts.

Generated by OpenCVE AI on May 2, 2026 at 01:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19318 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpopal GG Bought Together for WooCommerce allows SQL Injection. This issue affects GG Bought Together for WooCommerce: from n/a through 1.0.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpopal GG Bought Together for WooCommerce allows SQL Injection. This issue affects GG Bought Together for WooCommerce: from n/a through 1.0.2. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpopal GG Bought Together for WooCommerce gg-bought-together allows SQL Injection.This issue affects GG Bought Together for WooCommerce: from n/a through <= 1.0.2.
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Fri, 27 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 12:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpopal GG Bought Together for WooCommerce allows SQL Injection. This issue affects GG Bought Together for WooCommerce: from n/a through 1.0.2.
Title WordPress GG Bought Together for WooCommerce plugin <= 1.0.2 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:26:56.214Z

Reserved: 2025-01-16T11:33:05.291Z

Link: CVE-2025-23967

cve-icon Vulnrichment

Updated: 2025-06-27T12:45:52.390Z

cve-icon NVD

Status : Deferred

Published: 2025-06-27T12:15:30.247

Modified: 2026-06-17T08:57:48.640

Link: CVE-2025-23967

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:30:16Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')