Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in vertim Neon Product Designer neon-product-designer-for-woocommerce allows SQL Injection.This issue affects Neon Product Designer: from n/a through <= 2.2.0.
Published: 2025-04-11
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw caused by improper neutralization of special characters within an SQL command. An attacker can supply crafted input through the plugin’s interface to manipulate the underlying database. This flaw is exploitable without authentication, allowing the attacker to retrieve, modify, or delete data stored by the WordPress site, potentially compromising confidentiality, integrity, and availability of the affected application.

Affected Systems

The attack targets the WordPress plugin Neon Product Designer developed by Vertim, affecting all installations of the plugin version 2.2.0 and earlier. Any site running this plugin is at risk if it has not been upgraded or removed.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, and the EPSS score of less than 1% suggests a low current exploitation probability, though the vulnerability is listed as not in the CISA KEV catalog. The attack vector is inferred to be remote, via unauthenticated HTTP requests to the plugin’s endpoints, allowing an attacker to inject malicious SQL statements. If successful, the attacker could gain unrestricted command execution against the database layer.

Generated by OpenCVE AI on April 30, 2026 at 23:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Neon Product Designer to the latest available release that removes the SQL injection flaw
  • If an update is unavailable, disable or uninstall the plugin to eliminate the vulnerable code until a patch is released
  • Restrict the WordPress database user privileges to read‑only or minimal rights to limit the impact of any successful injection

Generated by OpenCVE AI on April 30, 2026 at 23:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10771 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in vertim Neon Product Designer allows SQL Injection. This issue affects Neon Product Designer: from n/a through 2.1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in vertim Neon Product Designer allows SQL Injection. This issue affects Neon Product Designer: from n/a through 2.1.1. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in vertim Neon Product Designer neon-product-designer-for-woocommerce allows SQL Injection.This issue affects Neon Product Designer: from n/a through <= 2.2.0.
Title WordPress Neon Product Designer Plugin <= 2.1.1 - Unauthenticated SQL Injection vulnerability WordPress Neon Product Designer Plugin <= 2.2.0 - Unauthenticated SQL Injection vulnerability
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Fri, 11 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 11 Apr 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in vertim Neon Product Designer allows SQL Injection. This issue affects Neon Product Designer: from n/a through 2.1.1.
Title WordPress Neon Product Designer Plugin <= 2.1.1 - Unauthenticated SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:24.301Z

Reserved: 2025-04-09T11:20:02.682Z

Link: CVE-2025-32565

cve-icon Vulnrichment

Updated: 2025-04-11T13:31:53.036Z

cve-icon NVD

Status : Deferred

Published: 2025-04-11T09:15:27.937

Modified: 2026-04-23T15:29:07.170

Link: CVE-2025-32565

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T23:15:05Z

Weaknesses