The Next-Cart Store to WooCommerce Migration plugin by Martin Nguyen contains an SQL Injection vulnerability (CVE-2025-30807) due to improper neutralization of special elements in SQL commands. This allows unauthenticated remote attackers to execute arbitrary SQL queries, potentially leading to disclosure of sensitive data. The vulnerability affects all versions up to 3.9.4. The CVSS v3.1 base score is 9.3, reflecting critical severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact scope is changed (S:C), with high confidentiality impact, no integrity impact, and low availability impact. No patch or vendor advisory is currently available to confirm remediation status.

Successful exploitation of this vulnerability could allow remote attackers to retrieve sensitive information from the database, compromising confidentiality. The vulnerability does not affect data integrity but may cause limited availability issues. There are no known active exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider restricting access to the plugin functionality and monitor for updates from Martin Nguyen or trusted security sources. Avoid exposing the affected plugin to untrusted networks where possible.