CVE-2025-1311 is a medium-severity SQL Injection vulnerability identified in the WooCommerce Multivendor Marketplace – REST API WordPress plugin, specifically in versions up to and including 1.6.2. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89) within the update_delivery_status() function. The 'id' parameter, which is user-supplied, is not sufficiently escaped or prepared before being incorporated into SQL queries, allowing attackers to append additional SQL statements. Exploitation requires authenticated access at the Subscriber level or higher, which is a relatively low privilege level in WordPress, making this vulnerability more accessible. The attack vector is network-based, with no user interaction required, and the scope is unchanged (the vulnerability affects only the plugin's database queries). Successful exploitation can lead to unauthorized disclosure of sensitive information from the underlying database, compromising confidentiality but not integrity or availability. Although no public exploits have been reported, the vulnerability's presence in a widely used e-commerce plugin increases its risk profile. The CVSS 3.1 vector string (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms the ease of exploitation and significant confidentiality impact. The vulnerability was published on March 22, 2025, and assigned by Wordfence. No official patches have been linked yet, indicating the need for immediate attention from users of this plugin.

The primary impact of CVE-2025-1311 is unauthorized disclosure of sensitive data stored in the WordPress database used by the WooCommerce Multivendor Marketplace plugin. Attackers with low-level authenticated access can exploit this flaw to extract confidential information such as user details, order data, payment information, or other sensitive business data. This can lead to privacy violations, data breaches, and potential compliance issues for organizations handling customer data. Since the vulnerability does not affect data integrity or availability, it does not directly enable data modification or service disruption. However, the exposure of sensitive data can facilitate further attacks, including phishing, identity theft, or targeted exploitation of other systems. Organizations relying on this plugin for e-commerce operations face reputational damage and potential financial loss if exploited. The ease of exploitation combined with the widespread use of WooCommerce in global e-commerce makes this a notable risk for online retailers and service providers using WordPress-based marketplaces.

To mitigate CVE-2025-1311, organizations should immediately verify if they are running affected versions (up to 1.6.2) of the WooCommerce Multivendor Marketplace – REST API plugin. Since no official patches are currently linked, users should monitor the vendor's announcements for updates or security patches and apply them promptly once available. In the interim, restrict access to the REST API endpoints related to delivery status updates to trusted roles only, ideally limiting to Administrator or Shop Manager roles rather than Subscriber-level users. Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the 'id' parameter in API requests. Conduct a thorough audit of user roles and permissions to ensure minimal privilege principles are enforced, reducing the risk of low-privilege accounts being compromised. Additionally, enable detailed logging and monitoring of API calls to detect anomalous activity indicative of exploitation attempts. Consider isolating or disabling the vulnerable plugin if it is not critical to business operations until a secure version is released. Finally, educate development and security teams on secure coding practices, emphasizing proper input validation and parameterized queries to prevent similar vulnerabilities.