Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mystyleplatform MyStyle Custom Product Designer mystyle-custom-product-designer allows Blind SQL Injection.This issue affects MyStyle Custom Product Designer: from n/a through <= 3.21.1.
Published: 2025-06-09
Score: 9.3 Critical
EPSS: 6.7% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a blind SQL injection in the MyStyle Custom Product Designer WordPress plugin, permitting an attacker to craft inputs that cause the plugin to construct malformed SQL commands. Although the injection is blind, the attacker can determine the truth of conditional queries and thus infer, read, alter, or delete data stored in the WordPress database. This represents a serious risk to data confidentiality and integrity, potentially exposing sensitive user or configuration information.

Affected Systems

WordPress sites using the mystyleplatform MyStyle Custom Product Designer plugin with versions up to and including 3.21.1 are affected. The vulnerability is not tied to a particular operating system or PHP version, but any installation deploying the plugin within this version range is susceptible.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity, and the EPSS score of 7% suggests the issue is considered likely to be exploited. The vulnerability is not yet listed in the CISA KEV catalog. The attack vector would involve an attacker sending crafted requests to the plugin’s input fields, possibly through the WordPress front‑end or administration interface. Because the attack is blind, successful exploitation requires inference over time but can still be achieved remotely without authentication if the plugin accepts untrusted input.

Generated by OpenCVE AI on April 30, 2026 at 18:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the MyStyle Custom Product Designer plugin to a version newer than 3.21.1 or apply the vendor patch if available.
  • If an immediate upgrade is not feasible, disable the plugin’s public entry points or restrict access to the plugin’s input forms behind authentication, and enforce strict input validation on those endpoints.
  • Configure the database user used by WordPress with the least privileges necessary for normal operation, limit SELECT/INSERT permissions, and enable database auditing to detect anomalous queries.

Generated by OpenCVE AI on April 30, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17539 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mystyleplatform MyStyle Custom Product Designer allows Blind SQL Injection. This issue affects MyStyle Custom Product Designer: from n/a through 3.21.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mystyleplatform MyStyle Custom Product Designer allows Blind SQL Injection. This issue affects MyStyle Custom Product Designer: from n/a through 3.21.1. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mystyleplatform MyStyle Custom Product Designer mystyle-custom-product-designer allows Blind SQL Injection.This issue affects MyStyle Custom Product Designer: from n/a through <= 3.21.1.
Title WordPress MyStyle Custom Product Designer <= 3.21.1 - SQL Injection Vulnerability WordPress MyStyle Custom Product Designer plugin <= 3.21.1 - SQL Injection Vulnerability
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00039}

 epss

{'score': 0.00043}

Mon, 09 Jun 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mystyleplatform MyStyle Custom Product Designer allows Blind SQL Injection. This issue affects MyStyle Custom Product Designer: from n/a through 3.21.1.
Title WordPress MyStyle Custom Product Designer <= 3.21.1 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:55.215Z

Reserved: 2025-05-19T14:13:30.915Z

Link: CVE-2025-48281

cve-icon Vulnrichment

Updated: 2025-06-09T17:19:01.194Z

cve-icon NVD

Status : Deferred

Published: 2025-06-09T16:15:44.637

Modified: 2026-04-23T15:31:01.487

Link: CVE-2025-48281

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T18:15:06Z

Weaknesses