CVE-2025-12411 is an SQL Injection vulnerability classified under CWE-89 affecting the Premmerce Wholesale Pricing for WooCommerce plugin for WordPress. The vulnerability arises from improper neutralization of special elements in SQL commands due to insufficient escaping and lack of prepared statements for user-supplied parameters, specifically the 'ID' parameter in the 'premmerce_update_price_type' action and the 'price_type' parameter in the 'premmerce_delete_price_type' action handled via admin-post.php. Authenticated attackers with subscriber-level privileges or higher can exploit this flaw to inject malicious SQL code, enabling them to extract sensitive information from the underlying database and alter price type display names stored in the database. Although the modification of price type names primarily causes cosmetic corruption in the WordPress admin interface, the ability to extract sensitive data represents a serious confidentiality breach. The vulnerability requires no user interaction but does require authentication with low privileges, increasing the risk as many WordPress sites allow subscriber-level accounts. The CVSS v3.1 score of 7.1 reflects the network attack vector, low attack complexity, low privileges required, no user interaction, and high confidentiality impact with limited integrity impact and no availability impact. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive business data stored within WooCommerce databases, including pricing structures and potentially customer information if stored in related tables. Exploitation could lead to unauthorized data disclosure, undermining customer trust and potentially violating GDPR regulations regarding data protection and breach notification. The ability to alter price type display names, while mostly cosmetic, could also disrupt administrative workflows and cause confusion in pricing management. Given WooCommerce's widespread use across European e-commerce businesses, especially small and medium enterprises, this vulnerability could be leveraged by attackers to gain footholds or conduct further attacks within compromised environments. The requirement for only subscriber-level access lowers the barrier for exploitation, increasing the threat surface. Organizations in sectors with high e-commerce reliance, such as retail and wholesale distribution, are particularly at risk. Additionally, data breaches resulting from this vulnerability could lead to regulatory fines and reputational damage.

Organizations should immediately audit their WordPress installations to identify the presence of the Premmerce Wholesale Pricing for WooCommerce plugin and verify the version in use. Since no official patches are currently available, temporary mitigations include restricting subscriber-level user capabilities to prevent access to admin-post.php actions related to price type updates and deletions. Implementing Web Application Firewall (WAF) rules to detect and block suspicious SQL injection payloads targeting the 'ID' and 'price_type' parameters can reduce exploitation risk. Monitoring logs for unusual database queries or admin-post.php requests from low-privilege users is recommended. Organizations should also consider disabling or removing the plugin if it is not essential to business operations until a secure version is released. Regular backups of the database and WordPress environment should be maintained to enable recovery from potential data corruption. Finally, organizations should subscribe to vendor and security advisories to apply official patches promptly once available.