{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25371", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:55.300Z", "datePublished": "2026-03-25T16:14:45.995Z", "dateUpdated": "2026-03-25T16:14:45.995Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://codecanyon.net", "defaultStatus": "unaffected", "packageName": "lumise", "product": "Lumise Product Designer", "vendor": "King-Theme", "versions": [{"changes": [{"at": "2.0.9", "status": "unaffected"}], "lessThanOrEqual": "< 2.0.9", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jarno Vos (jrn5151) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:26.154Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in King-Theme Lumise Product Designer lumise allows Blind SQL Injection.<p>This issue affects Lumise Product Designer: from n/a through < 2.0.9.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in King-Theme Lumise Product Designer lumise allows Blind SQL Injection.This issue affects Lumise Product Designer: from n/a through < 2.0.9."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:45.995Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/lumise/vulnerability/wordpress-lumise-product-designer-plugin-2-0-9-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Lumise Product Designer plugin < 2.0.9 - SQL Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in King-Theme Lumise Product Designer lumise allows Blind SQL Injection.This issue affects Lumise Product Designer: from n/a through < 2.0.9."}], "id": "CVE-2026-25371", "lastModified": "2026-03-25T17:16:47.693", "metrics": {}, "published": "2026-03-25T17:16:47.693", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/lumise/vulnerability/wordpress-lumise-product-designer-plugin-2-0-9-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:55:31.771931+00:00", "value": {"mitigation_remediation": ["Update the Lumise Product Designer plugin to version 2.0.9 or later.", "If an update cannot be performed immediately, disable the plugin to eliminate exposure.", "Limit access to the plugin\u2019s endpoints using network controls or a web application firewall.", "Review application logs for irregular database queries or HTTP requests that may indicate exploitation attempts.", "Apply general WordPress security hardening measures, such as keeping WordPress core and other plugins up to date and restricting user roles."], "summary": {"action": "Immediate Patch", "impact": "Database Compromise via SQL Injection"}, "threat_synthesis": {"affected_systems": "All releases of the King-Theme Lumise Product Designer plugin from the initial version through, but not including, version 2.0.9 are affected. WordPress sites that employ any of these plugin versions are therefore vulnerable.", "description_and_impact": "The Lumise Product Designer plugin for WordPress contains an improper neutralization of special elements used in an SQL command, which allows blind SQL injection. The plugin accepts user input that is incorporated directly into database queries without adequate sanitization, potentially enabling an attacker to read or modify data stored in the database.", "risk_and_exploitability": "The CVE description does not provide an explicit exploitability score or specify authentication requirements. It is inferred that the vulnerability can be triggered via publicly exposed plugin interfaces. The absence of an EPSS score and the lack of inclusion in the KEV catalog mean the precise likelihood of exploitation is uncertain, but the potential for database compromise indicates a high risk."}}}}, "created": "2026-03-25T21:44:50.161352+00:00", "updated": "2026-03-25T21:44:50.161384+00:00", "vendors": []}