CVE-2025-12411 is a SQL Injection vulnerability identified in the Premmerce Wholesale Pricing for WooCommerce plugin for WordPress, affecting all versions up to and including 1.1.10. The root cause is improper neutralization of special elements in SQL commands (CWE-89), specifically due to insufficient escaping and lack of prepared statements for the 'ID' parameter and the 'price_type' parameter in the plugin's admin-post.php actions 'premmerce_update_price_type' and 'premmerce_delete_price_type'. This flaw allows authenticated attackers with subscriber-level privileges or higher to inject malicious SQL code. Exploitation can lead to unauthorized extraction of sensitive data from the WordPress database, such as customer or pricing information, and modification of price type display names, which may cause cosmetic corruption in the WordPress admin interface. The vulnerability does not require user interaction but does require authentication with low privileges, increasing the attack surface since subscriber accounts are common in WordPress environments. The CVSS 3.1 base score is 7.1, indicating a high severity primarily due to the high confidentiality impact and low attack complexity. No public exploits have been reported yet, but the vulnerability's nature makes it a significant risk for e-commerce sites relying on this plugin. The lack of available patches at the time of publication necessitates immediate risk mitigation steps.

For European organizations, particularly those operating e-commerce platforms using WooCommerce with the Premmerce Wholesale Pricing plugin, this vulnerability poses a significant risk to data confidentiality. Attackers with minimal privileges can extract sensitive customer and pricing data, potentially leading to data breaches and loss of customer trust. The ability to modify price type display names, while primarily cosmetic, could be leveraged for social engineering or to disrupt administrative operations. Given the widespread use of WooCommerce in Europe and the common practice of granting subscriber-level access to users, the attack surface is considerable. Data protection regulations such as GDPR impose strict requirements on safeguarding personal data, and exploitation of this vulnerability could lead to regulatory penalties and reputational damage. Although availability and integrity impacts are limited, the confidentiality breach alone is critical for organizations handling sensitive customer or financial data.

Organizations should immediately audit their WordPress installations to identify the presence of the Premmerce Wholesale Pricing for WooCommerce plugin and verify the version in use. Until an official patch is released, restrict subscriber-level and higher user roles to only trusted individuals and review user permissions to minimize exposure. Implement Web Application Firewall (WAF) rules specifically designed to detect and block SQL injection patterns targeting the 'ID' and 'price_type' parameters in admin-post.php requests. Regularly monitor logs for suspicious activity related to these endpoints. Consider disabling or removing the plugin if it is not essential to business operations. Additionally, enforce strong authentication mechanisms and monitor for anomalous user behavior. Once a patch becomes available, prioritize its deployment in all affected environments. Conduct security awareness training for administrators to recognize potential exploitation signs and maintain regular backups to enable recovery from any data manipulation.