CVE-2025-12411 identifies an SQL Injection vulnerability in the Premmerce Wholesale Pricing for WooCommerce plugin for WordPress, specifically in versions up to and including 1.1.10. The root cause is improper neutralization of special elements in SQL commands (CWE-89), where user-supplied parameters 'ID' and 'price_type' are insufficiently escaped or prepared before being incorporated into SQL queries. These parameters are processed via admin-post.php actions named "premmerce_update_price_type" and "premmerce_delete_price_type" respectively. An attacker with authenticated access at subscriber level or higher can exploit this flaw to manipulate SQL queries, enabling unauthorized extraction of sensitive information from the database, such as customer or pricing data. Additionally, attackers can modify price type display names stored in the database, which leads to cosmetic corruption of the WordPress admin interface. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 base score is 7.1, reflecting high severity due to high confidentiality impact, low attack complexity, and low privileges required. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability affects all versions of the plugin up to 1.1.10, which is widely used in WooCommerce installations for wholesale pricing management.

The primary impact of this vulnerability is unauthorized disclosure of sensitive information stored in the WordPress database, which may include customer data, pricing structures, and other confidential business information. This can lead to data breaches, loss of customer trust, and potential regulatory compliance violations. The ability to modify price type display names, while primarily cosmetic, could be leveraged to confuse administrators or mask malicious activity. Since the vulnerability requires only subscriber-level authentication, attackers can exploit compromised or low-privilege accounts to escalate their access to sensitive data. This increases the risk for organizations that allow user registrations or have multiple users with subscriber or higher roles. The vulnerability does not directly affect system availability or integrity of core WordPress files but compromises the confidentiality and integrity of plugin-specific data. Organizations using WooCommerce with this plugin are at risk of targeted attacks aiming to extract business-sensitive information or manipulate pricing data, potentially impacting revenue and operational trust.

1. Immediate mitigation involves restricting subscriber-level users from accessing or invoking the vulnerable admin-post.php actions by implementing role-based access controls or custom filters in WordPress. 2. Monitor and audit user accounts with subscriber or higher privileges to detect suspicious activity or unauthorized access. 3. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'ID' and 'price_type' parameters in requests to admin-post.php. 4. Disable or remove the Premmerce Wholesale Pricing for WooCommerce plugin if it is not essential to reduce the attack surface. 5. Follow up with the vendor for official patches or updates addressing this vulnerability and apply them promptly once available. 6. Conduct regular security assessments and code reviews of WordPress plugins, especially those handling sensitive data or user input. 7. Implement database monitoring to detect unusual query patterns or unauthorized data access. 8. Educate administrators and users about the risks of low-privilege account compromise and enforce strong authentication mechanisms to reduce account takeover risks.