Description
The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'material_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-04-08
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via SQL Injection
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw in the 3DPrint Lite WordPress plugin. The ‘material_text’ parameter is incorporated into a SQL query without proper escaping or prepared statement usage, allowing an attacker to inject malicious SQL. Successful exploitation could enable retrieval of sensitive database content such as user credentials, plugin configuration, or other confidential data. This flaw aligns with CWE‑89.

Affected Systems

The affected product is the 3DPrint Lite WordPress plugin, versions 2.1.3.6 and earlier, distributed by fuzzoid. All installations hosted on WordPress sites that have not upgraded beyond 2.1.3.6 are vulnerable. The plugin integrates directly with the WordPress database, so the impact is limited to sites where the plugin is active and accessible.

Risk and Exploitability

The CVSS score is 4.9, indicating moderate impact with limited attack surface. The EPSS score of less than 1% suggests an unlikely exploitation event under current conditions. The vulnerability is not listed in the CISA KEV catalog, further indicating low exposure to known exploitation. The attack vector is likely through a standard HTTP request containing a malicious ‘material_text’ value, which can be performed by unauthenticated users if the route is publicly exposed.

Generated by OpenCVE AI on April 21, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official update for 3DPrint Lite from fuzzoid; if a fixed version is not yet available, wait for a vendor release.
  • If the plugin cannot be updated immediately, disable or remove 3DPrint Lite from the WordPress site until a patched version is released.
  • Implement input validation or escape all values passed to SQL queries, particularly the ‘material_text’ parameter, or use prepared statements to prevent injection.
  • Configure a web application firewall or an OWASP ModSecurity rule set to detect and block SQL injection attempts targeting the ‘material_text’ field.

Generated by OpenCVE AI on April 21, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10111 The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'material_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00065}

 epss

{'score': 0.00067}

Thu, 10 Jul 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wp3dprinting
Wp3dprinting 3dprint Lite
CPEs cpe:2.3:a:wp3dprinting:3dprint_lite:*:*:*:*:*:wordpress:*:*
Vendors & Products Wp3dprinting
Wp3dprinting 3dprint Lite

Tue, 08 Apr 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 08 Apr 2025 07:15:00 +0000

Type Values Removed Values Added
Description The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'material_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title 3DPrint Lite <=2.1.3.6 - Authenticated (Admin+) SQL Injection via 'material_text'
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wp3dprinting 3dprint Lite
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:47:37.083Z

Reserved: 2025-04-07T17:44:24.839Z

Link: CVE-2025-3429

cve-icon Vulnrichment

Updated: 2025-04-08T14:20:03.384Z

cve-icon NVD

Status : Analyzed

Published: 2025-04-08T07:15:43.120

Modified: 2025-07-10T14:18:42.587

Link: CVE-2025-3429

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:30:45Z

Weaknesses