CVE-2025-22713
Vanquish · WooCommerce Orders & Customers Exporter
A SQL injection vulnerability in the Vanquish WooCommerce Orders & Customers Exporter plugin allows unauthenticated attackers to execute arbitrary SQL commands.
Executive summary
The WooCommerce Orders & Customers Exporter plugin is vulnerable to SQL injection, which could allow an unauthenticated attacker to compromise the underlying database.
Vulnerability
This is an SQL injection vulnerability where the application fails to properly sanitize user-supplied input, allowing an unauthenticated attacker to manipulate database queries.
Business impact
A successful exploit of this vulnerability could lead to unauthorized access to sensitive customer data, order history, and potentially administrative credentials. Given the CVSS score of 9.8, this represents a critical risk that could result in full database compromise, significant reputational damage, and non-compliance with data protection regulations.
Remediation
Immediate Action: Update the WooCommerce Orders & Customers Exporter plugin to the latest available version as soon as a patch is released by the vendor.
Proactive Monitoring: Review web server and database logs for anomalous query patterns, such as unusual character strings or unexpected SQL syntax errors.
Compensating Controls: Deploy a Web Application Firewall (WAF) with specific rulesets designed to detect and block common SQL injection patterns.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The critical nature of this SQL injection vulnerability necessitates immediate attention. Administrators must verify their current plugin version and apply updates immediately upon vendor release to prevent unauthorized data access and system compromise.