CVE-2025-30791 identifies a critical SQL Injection vulnerability in the wpdever Cart tracking for WooCommerce plugin, versions up to 1.0.16. The flaw stems from improper neutralization of special elements in SQL commands, which means that user-supplied input is not adequately sanitized before being incorporated into SQL queries. This allows an attacker to inject malicious SQL code, potentially enabling unauthorized access to the underlying database. Such injection can lead to data leakage, unauthorized data modification, or even complete compromise of the database server. The vulnerability is present in a plugin that integrates with WooCommerce, a widely used e-commerce platform on WordPress, thus affecting a broad range of online stores. No CVSS score has been assigned yet, and no patches or known exploits have been reported at the time of publication. The vulnerability does not require authentication, meaning any unauthenticated attacker could exploit it remotely. Given the nature of SQL Injection, exploitation could allow attackers to bypass application logic, extract sensitive customer data, manipulate order information, or disrupt service availability. The lack of official patches necessitates immediate defensive measures by affected organizations. This vulnerability highlights the importance of secure coding practices, especially in plugins that handle critical e-commerce data and transactions.

The potential impact of CVE-2025-30791 is significant for organizations running WooCommerce stores with the vulnerable Cart tracking plugin. Exploitation could lead to unauthorized disclosure of sensitive customer information such as personal details, payment data, and order history, resulting in privacy violations and regulatory non-compliance. Attackers could also alter or delete order data, causing financial losses and operational disruptions. The integrity of the e-commerce platform could be compromised, undermining customer trust and brand reputation. Additionally, attackers might leverage the vulnerability to escalate privileges or pivot to other parts of the network, increasing the scope of the breach. The ease of exploitation without authentication and the widespread use of WooCommerce amplify the risk. Even though no active exploits are known currently, the vulnerability presents a critical risk if weaponized by threat actors. Organizations could face legal liabilities, financial penalties, and loss of competitive advantage if the vulnerability is exploited.

To mitigate CVE-2025-30791, organizations should immediately disable the wpdever Cart tracking for WooCommerce plugin until a security patch is released. If disabling is not feasible, implement strict input validation and sanitization on all user inputs that interact with the plugin’s database queries. Employ Web Application Firewalls (WAFs) with SQL Injection detection and prevention rules tailored to WooCommerce traffic. Monitor database logs and application behavior for unusual query patterns or access attempts indicative of injection attacks. Regularly back up e-commerce data to enable recovery in case of compromise. Engage with the plugin vendor or community to track patch releases and apply updates promptly once available. Additionally, conduct security audits and penetration testing focused on plugin vulnerabilities. Educate development and operations teams on secure coding and plugin management best practices to prevent similar issues in the future.