Skip to main content

CVE-2025-24773: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce

Critical
VulnerabilityCVE-2025-24773cvecve-2025-24773cwe-89
Published: Tue Jun 17 2025 (06/17/2025, 15:01:40 UTC)
Source: CVE Database V5
Vendor/Project: mojoomla
Product: WPCRM - CRM for Contact form CF7 & WooCommerce

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce allows SQL Injection. This issue affects WPCRM - CRM for Contact form CF7 & WooCommerce: from n/a through 3.2.0.

AI-Powered Analysis

AILast updated: 06/17/2025, 16:22:03 UTC

Technical Analysis

CVE-2025-24773 is a critical SQL Injection vulnerability (CWE-89) affecting the mojoomla WPCRM plugin, specifically the CRM for Contact form CF7 & WooCommerce integration, up to version 3.2.0. This vulnerability arises due to improper neutralization of special elements in SQL commands, allowing an attacker to inject malicious SQL code directly into the backend database queries. The vulnerability is remotely exploitable over the network (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), making it highly accessible to attackers. The scope is changed (S:C), indicating that exploitation can affect resources beyond the initially vulnerable component. The CVSS 3.1 base score is 9.3 (critical), reflecting high confidentiality impact (C:H), no integrity impact (I:N), and low availability impact (A:L). This means attackers can extract sensitive data from the database without modifying it or causing significant service disruption. The vulnerability affects installations of WPCRM that integrate with Contact Form 7 and WooCommerce, popular WordPress plugins for contact management and e-commerce respectively. Since the plugin handles CRM data, including potentially sensitive customer and contact information, successful exploitation could lead to unauthorized data disclosure. No patches or fixes are currently listed, and no known exploits are reported in the wild yet. However, the ease of exploitation and critical impact make this a high-risk vulnerability requiring immediate attention. The vulnerability likely stems from insufficient input validation or parameterized query usage in the plugin's handling of form data or WooCommerce interactions, allowing attackers to craft malicious payloads that manipulate SQL queries executed by the plugin's backend database.

Potential Impact

For European organizations, the impact of this vulnerability can be significant, especially for businesses relying on WordPress-based e-commerce and CRM solutions. Organizations using WPCRM with Contact Form 7 and WooCommerce integrations may face unauthorized disclosure of sensitive customer data, including personal identifiable information (PII), contact details, and transactional records. This can lead to violations of the EU General Data Protection Regulation (GDPR), resulting in legal penalties and reputational damage. Additionally, attackers could leverage the extracted data for further targeted attacks such as phishing or identity theft. Although the vulnerability does not directly affect data integrity or availability, the confidentiality breach alone is critical. Sectors such as retail, hospitality, and service providers that heavily use WooCommerce and CRM plugins are particularly at risk. The vulnerability also poses a threat to trust in digital commerce platforms, potentially disrupting business operations and customer relationships across Europe.

Mitigation Recommendations

1. Immediate mitigation should involve disabling or uninstalling the affected WPCRM plugin until a security patch is released. 2. Monitor official mojoomla channels and Patchstack advisories for updates or patches addressing CVE-2025-24773. 3. Implement Web Application Firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting WordPress plugins, focusing on patterns related to Contact Form 7 and WooCommerce interactions. 4. Conduct a thorough audit of all WordPress plugins and themes to identify and update any components that handle database queries insecurely. 5. Employ database user accounts with least privilege principles, restricting the WPCRM plugin’s database user to only necessary SELECT permissions if possible, to limit data exposure in case of exploitation. 6. Regularly back up databases and monitor logs for unusual query patterns or access anomalies that may indicate attempted exploitation. 7. Educate site administrators on the risks of installing unverified plugins and the importance of timely updates. 8. Consider deploying runtime application self-protection (RASP) solutions that can detect and block SQL injection attacks in real-time within the application environment.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Patchstack
Date Reserved
2025-01-23T14:53:25.027Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68518788a8c921274385debe

Added to database: 6/17/2025, 3:19:36 PM

Last enriched: 6/17/2025, 4:22:03 PM

Last updated: 8/12/2025, 11:16:21 AM

Views: 15

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats