CVE-2025-47537 is a high-severity SQL Injection vulnerability (CWE-89) found in the add-ons.org PDF Invoices for WooCommerce + Drag and Drop Template Builder plugin, affecting versions up to 5.3.8. This vulnerability arises from improper neutralization of special elements in SQL commands, allowing an attacker with high privileges (PR:H) to inject malicious SQL code remotely (AV:N) without requiring user interaction (UI:N). The vulnerability impacts the confidentiality of the database by potentially exposing sensitive data, while integrity and availability impacts are limited to low. The scope is changed (S:C), indicating that exploitation could affect resources beyond the initially vulnerable component, possibly impacting the entire database or other integrated systems. WooCommerce is a widely used e-commerce platform built on WordPress, and this plugin is used to generate PDF invoices with customizable templates. The vulnerability likely exists in the way user input or template data is processed and incorporated into SQL queries without proper sanitization or parameterization, enabling attackers to execute arbitrary SQL commands. Although no known exploits are currently reported in the wild, the high CVSS score (7.6) and the nature of SQL Injection make this a critical issue to address promptly. The lack of available patches at the time of disclosure increases the urgency for mitigation. Organizations using this plugin in their WooCommerce installations are at risk of data leakage or unauthorized data access if an attacker can leverage their elevated privileges to exploit this flaw.

For European organizations, the impact of this vulnerability can be significant, especially for those operating e-commerce platforms using WooCommerce with the affected PDF Invoices plugin. Confidential customer data, including personally identifiable information (PII), billing details, and transaction records, could be exposed or extracted by attackers, leading to data breaches and regulatory non-compliance under GDPR. Although the vulnerability requires high privileges, compromised administrator accounts or insider threats could exploit this flaw to access sensitive data. The integrity of invoice data is less impacted, but the potential for data exposure can damage customer trust and result in financial penalties. Availability impact is low, but attackers could potentially use SQL Injection to perform limited denial-of-service attacks on the database. The vulnerability also poses reputational risks and could facilitate further attacks if attackers gain deeper access to backend systems. Given the widespread use of WooCommerce in Europe, especially among SMEs and online retailers, the threat is relevant and warrants immediate attention.

1. Immediate mitigation should include restricting administrative access to trusted personnel only and enforcing strong authentication mechanisms to reduce the risk of privilege escalation. 2. Monitor and audit administrative activities and database queries for suspicious behavior indicative of SQL Injection attempts. 3. Until an official patch is released, consider disabling or removing the vulnerable plugin if feasible, or replacing it with a secure alternative. 4. Employ Web Application Firewalls (WAFs) with rules specifically designed to detect and block SQL Injection patterns targeting WooCommerce and its plugins. 5. Implement database-level protections such as least privilege principles for database users and use of parameterized queries where possible. 6. Regularly back up databases and test restoration procedures to minimize impact in case of exploitation. 7. Stay informed about vendor updates and apply security patches promptly once available. 8. Conduct security assessments and penetration testing focused on WooCommerce environments to identify and remediate similar vulnerabilities proactively.