The vulnerability CVE-2025-31534 affects shopperdotcom Shopper (up to version 3.2.5) and is caused by improper neutralization of special elements in SQL commands, resulting in SQL Injection. This allows unauthenticated remote attackers to execute crafted SQL queries that can compromise data confidentiality. The CVSS 3.1 base score is 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L), reflecting critical severity with network attack vector, low attack complexity, no privileges or user interaction required, and significant confidentiality impact with some availability impact. No patch or vendor advisory information is available to confirm remediation status.

Successful exploitation could allow remote attackers to execute arbitrary SQL commands on the affected database, potentially leading to unauthorized disclosure of sensitive data. The vulnerability does not indicate integrity or full availability compromise but does have a low impact on availability. No known exploits have been reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider applying any recommended workarounds from the vendor or restrict access to the affected application to trusted users only. Monitor for vendor updates regarding patches or mitigations.