Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in acowebs Dynamic Pricing With Discount Rules for WooCommerce aco-woo-dynamic-pricing allows Blind SQL Injection.This issue affects Dynamic Pricing With Discount Rules for WooCommerce: from n/a through <= 4.5.8.
Published: 2025-05-07
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw (CWE‑89) affecting the Dynamic Pricing With Discount Rules for WooCommerce plugin up to version 4.5.8. Malicious actors can inject crafted input into the plugin’s query processing, causing the application to execute arbitrary SQL commands against the underlying database. Although the injection is blind, an attacker can infer data through timing or error messages, enabling exfiltration of sensitive user or order information and compromising database integrity.

Affected Systems

WordPress sites that have the Dynamic Pricing With Discount Rules for WooCommerce plugin version 4.5.8 or earlier installed. The flaw exists wherever the plugin’s pricing rule forms are accessible, including the standard WordPress admin interface.

Risk and Exploitability

The CVSS score of 7.6 indicates high severity, and the EPSS score of less than 1% suggests a low probability of observed exploitation in the wild. The attack vector is likely through legitimate plugin usage: a user or administrator interacting with the pricing rule form could trigger the injection. The vulnerability is not listed in CISA KEV, but it remains critical for sites relying on this plugin.

Generated by OpenCVE AI on May 1, 2026 at 08:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to a version newer than 4.5.8 when an update becomes available.
  • If an update cannot be applied immediately, disable or uninstall the plugin to eliminate the attack surface.
  • Deploy a web‑application firewall rule or implement input sanitization to block untrusted database query parameters and mitigate any remaining risk.

Generated by OpenCVE AI on May 1, 2026 at 08:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13792 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in acowebs Dynamic Pricing With Discount Rules for WooCommerce allows Blind SQL Injection. This issue affects Dynamic Pricing With Discount Rules for WooCommerce: from n/a through 4.5.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in acowebs Dynamic Pricing With Discount Rules for WooCommerce allows Blind SQL Injection. This issue affects Dynamic Pricing With Discount Rules for WooCommerce: from n/a through 4.5.8. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in acowebs Dynamic Pricing With Discount Rules for WooCommerce aco-woo-dynamic-pricing allows Blind SQL Injection.This issue affects Dynamic Pricing With Discount Rules for WooCommerce: from n/a through <= 4.5.8.
Title WordPress Dynamic Pricing With Discount Rules for WooCommerce <= 4.5.8 - SQL Injection Vulnerability WordPress Dynamic Pricing With Discount Rules for WooCommerce plugin <= 4.5.8 - SQL Injection Vulnerability
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

 cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0004}

 epss

{'score': 0.00042}

Fri, 06 Jun 2025 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Acowebs
Acowebs dynamic Pricing With Discount Rules For Woocommerce
CPEs cpe:2.3:a:acowebs:dynamic_pricing_with_discount_rules_for_woocommerce:*:*:*:*:*:wordpress:*:*
Vendors & Products Acowebs
Acowebs dynamic Pricing With Discount Rules For Woocommerce

Wed, 07 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in acowebs Dynamic Pricing With Discount Rules for WooCommerce allows Blind SQL Injection. This issue affects Dynamic Pricing With Discount Rules for WooCommerce: from n/a through 4.5.8.
Title WordPress Dynamic Pricing With Discount Rules for WooCommerce <= 4.5.8 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Acowebs Dynamic Pricing With Discount Rules For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:44.547Z

Reserved: 2025-05-07T09:39:53.907Z

Link: CVE-2025-47544

cve-icon Vulnrichment

Updated: 2025-05-07T17:20:24.937Z

cve-icon NVD

Status : Modified

Published: 2025-05-07T15:16:11.110

Modified: 2026-04-23T15:30:27.370

Link: CVE-2025-47544

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:00:12Z

Weaknesses