Description
The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'infill_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-04-08
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection allowing extraction of sensitive data
Action: Apply Patch
AI Analysis

Impact

The 3DPrint Lite WordPress plugin is vulnerable to SQL Injection through its infill_text parameter. Insufficient input escaping and lack of prepared statements allow an attacker to append arbitrary SQL to the existing query. This flaw can be used to read or modify data stored in the WordPress database, potentially exposing confidential information or compromising site integrity.

Affected Systems

All versions of the Fuzzoid 3DPrint Lite plugin for WordPress up to and including 2.1.3.6 are affected. Sites using any of these releases, regardless of other plugin configurations, are at risk.

Risk and Exploitability

With a CVSS score of 4.9 the flaw is rated low‑medium severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Attackers can trigger the flaw via the plugin’s infill_text interface, most likely through a web request; while the description suggests unauthenticated exploitation, the title indicates that administrator privileges may be required, so the exact requirements remain uncertain. If exploited, the attacker could retrieve sensitive data and alter site content.

Generated by OpenCVE AI on April 22, 2026 at 17:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the 3DPrint Lite plugin to the latest released version (greater than 2.1.3.6).
  • If an immediate update is not possible, restrict access to the plugin’s administrative interface so that only trusted administrators (or the users with necessary privileges) can submit the infill_text parameter.
  • Sanitize and validate any user‑supplied input before incorporating it into SQL queries, preferably by using parameterized queries or prepared statements, to eliminate the injection vector.

Generated by OpenCVE AI on April 22, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10112 The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'infill_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00065}

 epss

{'score': 0.00067}

Thu, 10 Jul 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wp3dprinting
Wp3dprinting 3dprint Lite
CPEs cpe:2.3:a:wp3dprinting:3dprint_lite:*:*:*:*:*:wordpress:*:*
Vendors & Products Wp3dprinting
Wp3dprinting 3dprint Lite

Tue, 08 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 08 Apr 2025 07:15:00 +0000

Type Values Removed Values Added
Description The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'infill_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title 3DPrint Lite <=2.1.3.6 - Authenticated (Admin+) SQL Injection via 'infill_text'
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wp3dprinting 3dprint Lite
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:56.981Z

Reserved: 2025-04-07T17:43:19.053Z

Link: CVE-2025-3427

cve-icon Vulnrichment

Updated: 2025-04-08T14:20:06.627Z

cve-icon NVD

Status : Analyzed

Published: 2025-04-08T07:15:42.740

Modified: 2025-07-10T14:18:07.637

Link: CVE-2025-3427

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:45:22Z

Weaknesses