CVE-2025-24767 is a critical SQL Injection vulnerability (CWE-89) identified in the TicketBAI Facturas para WooCommerce plugin developed by facturaone. This vulnerability allows an unauthenticated attacker to perform Blind SQL Injection attacks against affected versions of the plugin (up to version 3.19). The flaw arises due to improper neutralization of special elements in SQL commands, enabling attackers to inject malicious SQL code into database queries. The vulnerability is remotely exploitable over the network without requiring any user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact is severe on confidentiality, allowing attackers to extract sensitive data from the backend database, while integrity is not directly affected and availability impact is low but present. The vulnerability affects the WooCommerce plugin ecosystem, specifically the TicketBAI Facturas para WooCommerce plugin, which is used for invoicing and compliance with the TicketBAI fiscal regulation in Spain. Although no known exploits are currently observed in the wild, the high CVSS score of 9.3 and the ease of exploitation make this a critical threat that requires immediate attention. The vulnerability’s scope is complete (S:C), meaning exploitation can affect resources beyond the vulnerable component, potentially compromising the entire database backend. The lack of available patches at the time of publication further increases risk for users of this plugin.

For European organizations, particularly those operating in Spain and regions where TicketBAI compliance is mandatory, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of sensitive financial and customer data stored in WooCommerce databases, undermining data confidentiality and potentially violating GDPR requirements. The exposure of such data could result in financial losses, reputational damage, regulatory fines, and legal consequences. Additionally, attackers could leverage the vulnerability to gain deeper access into the affected systems, potentially pivoting to other internal resources. Given the critical nature of the vulnerability and the plugin’s role in fiscal compliance, organizations relying on TicketBAI Facturas para WooCommerce must prioritize mitigation to avoid operational disruptions and compliance failures.

Organizations should immediately audit their WooCommerce installations to identify if TicketBAI Facturas para WooCommerce plugin versions up to 3.19 are in use. Until an official patch is released, it is advisable to implement Web Application Firewall (WAF) rules specifically targeting SQL injection patterns related to this plugin’s endpoints. Employing parameterized queries and input validation at the application level can help mitigate injection risks if custom modifications are possible. Monitoring database query logs for anomalous or unexpected queries can provide early detection of exploitation attempts. Restricting database user permissions to the minimum necessary can limit the impact of a successful injection. Organizations should also subscribe to vendor advisories and apply patches promptly once available. For immediate risk reduction, disabling or removing the vulnerable plugin temporarily may be necessary if it does not disrupt critical operations.