The vulnerability is a classic blind SQL injection that results from improper neutralization of special elements in an SQL command, as noted by CWE-89. An attacker who can exploit it could retrieve sensitive data from the database and potentially modify records, compromising the confidentiality and integrity of the WooCommerce site. The flaw allows the formation of arbitrary SQL queries without direct error feedback, meaning an attacker can control the data flow without needing immediate error messages to guide them.

Saad Iqbal’s License Manager for WooCommerce plugin, versions up to and including 3.0.12. No specific minor version details are listed, but any installation in that range is susceptible.

The CVSS score of 7.6 indicates a high severity. The EPSS score of less than 1% suggests that current exploitation activity is very low, and the entry is not listed in the CISA KEV catalog. The likely attack vector is through the plugin’s administrative interface or exposed endpoints, though the exact entry point is not described in the input; this inference is based on typical plugin data handling. If an attacker can inject payloads into these interfaces, they could gradually extract database content or alter orders and licensing data.