The vulnerability CVE-2025-10142 affects the PagBank / PagSeguro Connect para WooCommerce plugin for WordPress, which is widely used for integrating PagBank/PagSeguro payment services into WooCommerce stores. The issue is an SQL Injection (CWE-89) caused by improper neutralization of special elements in the 'status' parameter. Specifically, the plugin fails to properly escape or prepare SQL queries involving this parameter, allowing an authenticated attacker with Shop Manager-level access or higher to append arbitrary SQL commands. This can be leveraged to extract sensitive information from the underlying database, such as customer data, transaction records, or other confidential information stored within the WordPress database. The vulnerability does not require user interaction but does require elevated privileges, limiting the attack surface to users who already have significant access to the WordPress backend. The CVSS 3.1 base score is 4.9 (medium), reflecting the network attack vector, low attack complexity, high privileges required, no user interaction, and impact limited to confidentiality. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly. The plugin versions up to and including 4.44.3 are affected, and the issue stems from insufficient input validation and lack of parameterized queries or prepared statements in the plugin's code handling the 'status' parameter.

The primary impact of this vulnerability is unauthorized disclosure of sensitive information from the WordPress database used by WooCommerce stores integrating PagBank/PagSeguro payment services. Attackers with Shop Manager or higher privileges can exploit this flaw to extract customer data, payment details, or other confidential business information, potentially leading to privacy violations, regulatory non-compliance, and reputational damage. Although the vulnerability does not allow modification or deletion of data (no integrity or availability impact), the confidentiality breach alone can have serious consequences, including identity theft, fraud, and loss of customer trust. Since exploitation requires elevated privileges, the risk is somewhat mitigated by the need for an attacker to first compromise or gain access to a Shop Manager account. However, insider threats or compromised admin accounts increase the risk. Organizations worldwide using this plugin in e-commerce environments are at risk, especially those handling large volumes of sensitive customer data.

Organizations should immediately upgrade the PagBank / PagSeguro Connect para WooCommerce plugin to a version that addresses this vulnerability once released by the vendor. Until a patch is available, administrators should restrict Shop Manager and higher privileges to trusted users only and monitor for suspicious activity in the WordPress backend. Implementing Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the 'status' parameter can provide temporary protection. Additionally, reviewing and hardening user access controls, enforcing strong authentication mechanisms (e.g., MFA) for privileged accounts, and conducting regular audits of user permissions will reduce the risk of exploitation. Developers and administrators should also consider applying custom code fixes by sanitizing and parameterizing SQL queries related to the 'status' parameter if immediate patching is not feasible. Regular backups and monitoring of database access logs can help detect and recover from potential breaches.