Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics allows SQL Injection.This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through <= 4.1.1.
Published: 2025-04-01
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs when user input is not properly neutralised in an SQL statement within the Advanced WooCommerce Product Sales Reporting plugin, enabling an attacker to inject arbitrary SQL commands. This flaw can lead to unauthorized access to sensitive data or modification of database contents. The CVSS score of 9.3 and its CWE-89 classification reflect the severity of the data compromise risk.

Affected Systems

Affected versions are all releases of the WPFactory Advanced WooCommerce Product Sales Reporting plugin from the earliest available release through version 4.1.1. WordPress sites that employ this plugin in their e‑commerce setup are at risk.

Risk and Exploitability

The EPSS score of less than 1% indicates that exploitation is currently uncommon, but the high CVSS rating denotes a severe security risk. Based on the description, it is inferred that an attacker could send specially crafted HTTP requests to the plugin’s endpoints that incorporate user‑controlled input into SQL queries. Although the vulnerability is not yet listed in the CISA KEV catalog, the severe score justifies prompt remediation.

Generated by OpenCVE AI on May 2, 2026 at 02:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPFactory Advanced WooCommerce Product Sales Reporting plugin to a newer version (or the latest release).
  • If upgrading immediately is not possible, disable the plugin or limit access to its configuration endpoints in the production environment.
  • Configure a web application firewall to detect and block SQL injection patterns targeting the plugin’s input parameters.

Generated by OpenCVE AI on May 2, 2026 at 02:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9455 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting allows SQL Injection. This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through 3.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting allows SQL Injection. This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through 3.1. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics allows SQL Injection.This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through <= 4.1.1.
Title WordPress Advanced WooCommerce Product Sales Reporting plugin <= 3.1 - SQL Injection vulnerability WordPress Advanced WooCommerce Product Sales Reporting plugin <= 4.1.1 - SQL Injection vulnerability
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Tue, 01 Apr 2025 21:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting allows SQL Injection. This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through 3.1.
Title WordPress Advanced WooCommerce Product Sales Reporting plugin <= 3.1 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:08.791Z

Reserved: 2025-03-31T10:05:28.896Z

Link: CVE-2025-31553

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2025-04-01T21:15:49.910

Modified: 2026-04-23T15:27:57.293

Link: CVE-2025-31553

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:45:32Z

Weaknesses