CVE-2025-10142 is a medium-severity SQL Injection vulnerability affecting the PagBank / PagSeguro Connect para WooCommerce plugin for WordPress, maintained by martins56. This vulnerability exists in all versions up to and including 4.44.3. The root cause is improper neutralization of special elements used in SQL commands (CWE-89), specifically due to insufficient escaping of the 'status' parameter supplied by users and a lack of proper query preparation. Authenticated attackers with Shop Manager-level privileges or higher can exploit this flaw by injecting malicious SQL code into the 'status' parameter, which is concatenated into existing SQL queries without adequate sanitization or parameterization. This allows attackers to append additional SQL queries, enabling them to extract sensitive information from the backend database. The vulnerability does not require user interaction beyond authentication, and the attack vector is network-based (remote). The CVSS v3.1 base score is 4.9, reflecting a medium severity primarily due to the requirement of high privileges (Shop Manager or above) and the absence of impact on integrity or availability, but with a high impact on confidentiality. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability was published on September 10, 2025, and assigned by Wordfence. The plugin is widely used in e-commerce environments that integrate PagBank / PagSeguro payment services with WooCommerce, a popular WordPress e-commerce platform.

For European organizations using WooCommerce with the PagBank / PagSeguro Connect plugin, this vulnerability poses a significant risk to the confidentiality of sensitive customer and transactional data stored in the backend databases. Attackers with Shop Manager-level access can exploit the vulnerability to extract payment information, customer details, or other sensitive business data, potentially leading to data breaches and regulatory non-compliance under GDPR. Although the vulnerability does not affect data integrity or availability, the exposure of confidential data can damage brand reputation, result in financial penalties, and erode customer trust. Given the widespread adoption of WooCommerce in European small and medium enterprises (SMEs) and the increasing use of PagBank / PagSeguro payment solutions by merchants targeting Latin American and European markets, the threat is relevant. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but phishing or credential theft could facilitate such access. The lack of known exploits in the wild suggests that immediate widespread attacks are unlikely, but the vulnerability remains a critical risk if left unmitigated.

1. Immediate mitigation involves restricting Shop Manager and higher privileges to trusted personnel only and enforcing strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of account compromise. 2. Monitor and audit Shop Manager account activities for suspicious behavior indicative of exploitation attempts. 3. Implement Web Application Firewall (WAF) rules that detect and block SQL injection patterns targeting the 'status' parameter in HTTP requests to the WooCommerce plugin endpoints. 4. Until an official patch is released, consider temporarily disabling or removing the PagBank / PagSeguro Connect plugin if feasible, or isolating its database access with least privilege principles. 5. Review and harden database user permissions to limit the scope of data accessible by the plugin's database user account. 6. Regularly update WordPress, WooCommerce, and all plugins to their latest versions once patches addressing this vulnerability are available. 7. Conduct internal security awareness training to prevent credential theft and ensure that only authorized users have Shop Manager privileges. 8. Employ database activity monitoring solutions to detect anomalous query patterns that may indicate exploitation attempts.