Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in King-Theme Lumise Product Designer lumise allows Blind SQL Injection.This issue affects Lumise Product Designer: from n/a through < 2.0.9.
Published: 2026-03-25
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Data Compromise via Blind SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from improper sanitization of user supplied input that is incorporated into SQL queries, allowing a blind SQL injection attack. An attacker can craft input that leaks database contents or modifies database state without direct feedback, leading to unauthorized data access or persistence of malicious data. This is a classic SQL Injection weakness which is mapped to CWE‑89 and can undermine the confidentiality and integrity of the application’s data.

Affected Systems

King‑Theme Lumise Product Designer for WordPress is affected for all versions prior to 2.0.9. Administrators running any of these older plugin releases are at risk if the plugin’s administrative interface is exposed to potential attackers.

Risk and Exploitability

The high CVSS score of 9.3 reflects the severe impact of this flaw, while a very low EPSS score of less than 1 percent suggests limited current exploitation activity. The vulnerability is not present in CISA’s Known Exploited Vulnerabilities catalog. The attack vector is likely remote, executed through crafted HTTP requests to the plugin’s input handling endpoints. Successful exploitation requires the ability to send crafted data to the plugin; no additional authentication or local privileges are indicated in the description. Given the severity, this flaw represents a high risk to any system that uses the vulnerable plugin version.

Generated by OpenCVE AI on April 7, 2026 at 01:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade King‑Theme Lumise Product Designer plugin to version 2.0.9 or later
  • If an immediate upgrade is not possible, remove or disable the Lumise plugin to eliminate the attack surface
  • After upgrading, verify that no unauthorized data has been exposed or modified

Generated by OpenCVE AI on April 7, 2026 at 01:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared King-theme
King-theme lumise Product Designer
Wordpress
Wordpress wordpress
Vendors & Products King-theme
King-theme lumise Product Designer
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in King-Theme Lumise Product Designer lumise allows Blind SQL Injection.This issue affects Lumise Product Designer: from n/a through < 2.0.9.
Title WordPress Lumise Product Designer plugin < 2.0.9 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

King-theme Lumise Product Designer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:09.223Z

Reserved: 2026-02-02T12:52:55.300Z

Link: CVE-2026-25371

cve-icon Vulnrichment

Updated: 2026-03-26T19:11:40.823Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:47.693

Modified: 2026-04-06T20:16:21.487

Link: CVE-2026-25371

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:57Z

Weaknesses