A high-severity vulnerability has been identified in the Premmerce Wholesale Pricing for WooCommerce plugin for WordPress. This flaw, a SQL Injection, could allow an unauthenticated attacker to manipulate the website's database, potentially leading to the theft of sensitive customer data, website defacement, or unauthorized administrative access. Organizations using this plugin are at significant risk of a data breach and should apply the recommended updates immediately.

The vulnerability is a SQL Injection flaw that exists due to insufficient sanitization of user-supplied input in the 'ID' parameter. An attacker can send a specially crafted web request containing malicious SQL queries within this parameter. Because the application fails to properly validate this input, the malicious queries are executed directly against the backend database, allowing the attacker to read, modify, or delete sensitive information, such as user credentials, customer data, and order details.

This vulnerability is rated as High severity with a CVSS score of 7.1. Successful exploitation could have a severe business impact, leading to a significant data breach of sensitive customer and business information stored in the WooCommerce database. Potential consequences include unauthorized access to personally identifiable information (PII), financial loss, reputational damage, and potential regulatory fines for non-compliance with data protection standards. An attacker could also leverage this access to deface the website or compromise the underlying server.

Immediate Action: Immediately update the "Premmerce Wholesale Pricing for WooCommerce" plugin to the latest patched version provided by the vendor. If the plugin is no longer required for business operations, it should be deactivated and completely removed from the WordPress installation to eliminate the risk.

Proactive Monitoring: Monitor web server and Web Application Firewall (WAF) logs for suspicious requests containing SQL syntax, particularly targeting the vulnerable 'ID' parameter. Look for an unusual volume of database queries, high CPU usage on the database server, or unauthorized changes to website content or user accounts.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with strict rulesets designed to detect and block SQL Injection attack patterns. Additionally, ensure the WordPress database user account operates with the principle of least privilege, restricting its permissions to only what is necessary for the application to function, thereby limiting the potential impact of a successful exploit.

Public Exploit Available: false

Given the high severity of this SQL Injection vulnerability and the potential for a complete database compromise, we strongly recommend that all affected systems be patched immediately by updating the plugin to the latest version. While this vulnerability is not currently listed on the CISA KEV catalog, its critical nature warrants urgent attention. Prioritize the remediation of this flaw on all public-facing e-commerce websites to prevent potential data breaches and protect customer information.