Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Martin Nguyen Next-Cart Store to WooCommerce Migration nextcart-woocommerce-migration allows SQL Injection.This issue affects Next-Cart Store to WooCommerce Migration: from n/a through <= 3.9.4.
Published: 2025-04-01
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of special elements in SQL commands, classified as a classic SQL Injection flaw, CWE‑89. It allows an attacker to insert arbitrary SQL statements through the plugin’s input handling, potentially compromising the integrity and confidentiality of the database and enabling unauthorized data disclosure or modification.

Affected Systems

The flaw affects Martin Nguyen’s Next‑Cart Store to WooCommerce Migration plugin versions from the first release through 3.9.4. Any WordPress site that has this plugin installed and has not upgraded to a later release is susceptible.

Risk and Exploitability

With a CVSS score of 9.3, the vulnerability is considered Critical. The EPSS score is less than 1%, indicating a low but non‑zero probability of exploitation in the wild, and the issue is not on the CISA KEV list. The likely attack vector is remote, emanating from web traffic that interacts with the plugin’s migration interface; it is inferred that an attacker could exploit the flaw by submitting crafted input via a standard HTTP request.

Generated by OpenCVE AI on May 1, 2026 at 01:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Next‑Cart Store to WooCommerce Migration plugin to the latest available version (≥3.9.5) to receive the vendor’s fix.
  • If an upgrade cannot be applied immediately, disable the plugin to eliminate the vulnerable code path from the site’s execution environment.
  • Audit existing migration data and remove any suspicious entries that may have been injected; consider running a database integrity check to detect unauthorized changes.

Generated by OpenCVE AI on May 1, 2026 at 01:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9485 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Martin Nguyen Next-Cart Store to WooCommerce Migration allows SQL Injection. This issue affects Next-Cart Store to WooCommerce Migration: from n/a through 3.9.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Martin Nguyen Next-Cart Store to WooCommerce Migration allows SQL Injection. This issue affects Next-Cart Store to WooCommerce Migration: from n/a through 3.9.4. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Martin Nguyen Next-Cart Store to WooCommerce Migration nextcart-woocommerce-migration allows SQL Injection.This issue affects Next-Cart Store to WooCommerce Migration: from n/a through <= 3.9.4.
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 02 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 21:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Martin Nguyen Next-Cart Store to WooCommerce Migration allows SQL Injection. This issue affects Next-Cart Store to WooCommerce Migration: from n/a through 3.9.4.
Title WordPress Next-Cart Store to WooCommerce Migration plugin <= 3.9.4 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:57.878Z

Reserved: 2025-03-26T09:20:25.505Z

Link: CVE-2025-30807

cve-icon Vulnrichment

Updated: 2025-04-02T13:33:01.806Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T21:15:44.877

Modified: 2026-04-23T15:27:06.527

Link: CVE-2025-30807

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:45:05Z

Weaknesses