CVE-2025-24773: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce allows SQL Injection. This issue affects WPCRM - CRM for Contact form CF7 & WooCommerce: from n/a through 3.2.0.
AI Analysis
Technical Summary
CVE-2025-24773 is a critical SQL Injection vulnerability (CWE-89) affecting the mojoomla WPCRM plugin, specifically the CRM for Contact form CF7 & WooCommerce integration, up to version 3.2.0. This vulnerability arises due to improper neutralization of special elements in SQL commands, allowing an attacker to inject malicious SQL code directly into the backend database queries. The vulnerability is remotely exploitable over the network (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), making it highly accessible to attackers. The scope is changed (S:C), indicating that exploitation can affect resources beyond the initially vulnerable component. The CVSS 3.1 base score is 9.3 (critical), reflecting high confidentiality impact (C:H), no integrity impact (I:N), and low availability impact (A:L). This means attackers can extract sensitive data from the database without modifying it or causing significant service disruption. The vulnerability affects installations of WPCRM that integrate with Contact Form 7 and WooCommerce, popular WordPress plugins for contact management and e-commerce respectively. Since the plugin handles CRM data, including potentially sensitive customer and contact information, successful exploitation could lead to unauthorized data disclosure. No patches or fixes are currently listed, and no known exploits are reported in the wild yet. However, the ease of exploitation and critical impact make this a high-risk vulnerability requiring immediate attention. The vulnerability likely stems from insufficient input validation or parameterized query usage in the plugin's handling of form data or WooCommerce interactions, allowing attackers to craft malicious payloads that manipulate SQL queries executed by the plugin's backend database.
Potential Impact
For European organizations, the impact of this vulnerability can be significant, especially for businesses relying on WordPress-based e-commerce and CRM solutions. Organizations using WPCRM with Contact Form 7 and WooCommerce integrations may face unauthorized disclosure of sensitive customer data, including personal identifiable information (PII), contact details, and transactional records. This can lead to violations of the EU General Data Protection Regulation (GDPR), resulting in legal penalties and reputational damage. Additionally, attackers could leverage the extracted data for further targeted attacks such as phishing or identity theft. Although the vulnerability does not directly affect data integrity or availability, the confidentiality breach alone is critical. Sectors such as retail, hospitality, and service providers that heavily use WooCommerce and CRM plugins are particularly at risk. The vulnerability also poses a threat to trust in digital commerce platforms, potentially disrupting business operations and customer relationships across Europe.
Mitigation Recommendations
1. Immediate mitigation should involve disabling or uninstalling the affected WPCRM plugin until a security patch is released. 2. Monitor official mojoomla channels and Patchstack advisories for updates or patches addressing CVE-2025-24773. 3. Implement Web Application Firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting WordPress plugins, focusing on patterns related to Contact Form 7 and WooCommerce interactions. 4. Conduct a thorough audit of all WordPress plugins and themes to identify and update any components that handle database queries insecurely. 5. Employ database user accounts with least privilege principles, restricting the WPCRM plugin’s database user to only necessary SELECT permissions if possible, to limit data exposure in case of exploitation. 6. Regularly back up databases and monitor logs for unusual query patterns or access anomalies that may indicate attempted exploitation. 7. Educate site administrators on the risks of installing unverified plugins and the importance of timely updates. 8. Consider deploying runtime application self-protection (RASP) solutions that can detect and block SQL injection attacks in real-time within the application environment.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden
CVE-2025-24773: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce
Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce allows SQL Injection. This issue affects WPCRM - CRM for Contact form CF7 & WooCommerce: from n/a through 3.2.0.
AI-Powered Analysis
Technical Analysis
CVE-2025-24773 is a critical SQL Injection vulnerability (CWE-89) affecting the mojoomla WPCRM plugin, specifically the CRM for Contact form CF7 & WooCommerce integration, up to version 3.2.0. This vulnerability arises due to improper neutralization of special elements in SQL commands, allowing an attacker to inject malicious SQL code directly into the backend database queries. The vulnerability is remotely exploitable over the network (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), making it highly accessible to attackers. The scope is changed (S:C), indicating that exploitation can affect resources beyond the initially vulnerable component. The CVSS 3.1 base score is 9.3 (critical), reflecting high confidentiality impact (C:H), no integrity impact (I:N), and low availability impact (A:L). This means attackers can extract sensitive data from the database without modifying it or causing significant service disruption. The vulnerability affects installations of WPCRM that integrate with Contact Form 7 and WooCommerce, popular WordPress plugins for contact management and e-commerce respectively. Since the plugin handles CRM data, including potentially sensitive customer and contact information, successful exploitation could lead to unauthorized data disclosure. No patches or fixes are currently listed, and no known exploits are reported in the wild yet. However, the ease of exploitation and critical impact make this a high-risk vulnerability requiring immediate attention. The vulnerability likely stems from insufficient input validation or parameterized query usage in the plugin's handling of form data or WooCommerce interactions, allowing attackers to craft malicious payloads that manipulate SQL queries executed by the plugin's backend database.
Potential Impact
For European organizations, the impact of this vulnerability can be significant, especially for businesses relying on WordPress-based e-commerce and CRM solutions. Organizations using WPCRM with Contact Form 7 and WooCommerce integrations may face unauthorized disclosure of sensitive customer data, including personal identifiable information (PII), contact details, and transactional records. This can lead to violations of the EU General Data Protection Regulation (GDPR), resulting in legal penalties and reputational damage. Additionally, attackers could leverage the extracted data for further targeted attacks such as phishing or identity theft. Although the vulnerability does not directly affect data integrity or availability, the confidentiality breach alone is critical. Sectors such as retail, hospitality, and service providers that heavily use WooCommerce and CRM plugins are particularly at risk. The vulnerability also poses a threat to trust in digital commerce platforms, potentially disrupting business operations and customer relationships across Europe.
Mitigation Recommendations
1. Immediate mitigation should involve disabling or uninstalling the affected WPCRM plugin until a security patch is released. 2. Monitor official mojoomla channels and Patchstack advisories for updates or patches addressing CVE-2025-24773. 3. Implement Web Application Firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting WordPress plugins, focusing on patterns related to Contact Form 7 and WooCommerce interactions. 4. Conduct a thorough audit of all WordPress plugins and themes to identify and update any components that handle database queries insecurely. 5. Employ database user accounts with least privilege principles, restricting the WPCRM plugin’s database user to only necessary SELECT permissions if possible, to limit data exposure in case of exploitation. 6. Regularly back up databases and monitor logs for unusual query patterns or access anomalies that may indicate attempted exploitation. 7. Educate site administrators on the risks of installing unverified plugins and the importance of timely updates. 8. Consider deploying runtime application self-protection (RASP) solutions that can detect and block SQL injection attacks in real-time within the application environment.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-01-23T14:53:25.027Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68518788a8c921274385debe
Added to database: 6/17/2025, 3:19:36 PM
Last enriched: 6/17/2025, 4:22:03 PM
Last updated: 8/6/2025, 6:24:21 AM
Views: 14
Related Threats
CVE-2025-8885: CWE-770 Allocation of Resources Without Limits or Throttling in Legion of the Bouncy Castle Inc. Bouncy Castle for Java
MediumCVE-2025-26398: CWE-798 Use of Hard-coded Credentials in SolarWinds Database Performance Analyzer
MediumCVE-2025-41686: CWE-306 Missing Authentication for Critical Function in Phoenix Contact DaUM
HighCVE-2025-8874: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in litonice13 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
MediumCVE-2025-8767: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in anwppro AnWP Football Leagues
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.