Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MailerLite MailerLite – WooCommerce integration woo-mailerlite allows SQL Injection.This issue affects MailerLite – WooCommerce integration: from n/a through <= 3.1.2.
Published: 2026-01-22
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The MailerLite – WooCommerce integration plugin for WordPress contains an SQL injection flaw caused by improper neutralization of special characters in SQL statements. An attacker who can supply input to the plugin’s WooCommerce integration functions can inject arbitrary SQL, allowing read, modify, or delete operations on the database. This could compromise data confidentiality, integrity, and potentially availability if the database is affected.

Affected Systems

MailerLite – WooCommerce integration plugin for WordPress; versions up to and including 3.1.2 are vulnerable; earlier versions prior to the fix are also considered susceptible.

Risk and Exploitability

The CVSS score of 9.3 reflects a high severity level. The EPSS score of less than 1% indicates a low probability of exploitation at this time, and the vulnerability is currently not listed in CISA’s KEV catalog. The likely attack vector is a web request to the plugin’s integration endpoints that accept user input; the presence or absence of authentication requirements is not explicitly stated. Exploitation could lead to arbitrary SQL execution against the database, potentially exposing sensitive data and disrupting application functionality.

Generated by OpenCVE AI on April 28, 2026 at 18:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MailerLite – WooCommerce integration to a version newer than 3.1.2 as soon as possible.
  • If an upgrade cannot be performed immediately, deactivate or uninstall the plugin to eliminate the vulnerability.
  • Restrict the database user account used by WordPress to the minimum privileges required for normal operation, reducing the impact if an injection does occur.
  • Consider implementing a web application firewall or input filtering to block suspicious SQL injection payloads targeting the plugin’s endpoints.

Generated by OpenCVE AI on April 28, 2026 at 18:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N'}

 cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 28 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Mailerlite
Mailerlite mailerlite
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Mailerlite
Mailerlite mailerlite
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MailerLite MailerLite – WooCommerce integration woo-mailerlite allows SQL Injection.This issue affects MailerLite – WooCommerce integration: from n/a through <= 3.1.2.
Title WordPress MailerLite – WooCommerce integration plugin <= 3.1.2 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Mailerlite Mailerlite
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:24.292Z

Reserved: 2025-12-15T10:00:06.384Z

Link: CVE-2025-67945

cve-icon Vulnrichment

Updated: 2026-01-28T16:18:07.168Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:04.170

Modified: 2026-04-27T18:16:51.107

Link: CVE-2025-67945

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:15:37Z

Weaknesses