CVE-2025-48122 is a critical SQL Injection vulnerability (CWE-89) affecting the Holest Engineering Spreadsheet Price Changer plugin for WooCommerce and WP E-commerce – Light, specifically versions up to 2.4.37. This vulnerability arises from improper neutralization of special elements in SQL commands, allowing an unauthenticated remote attacker to inject malicious SQL code via crafted input parameters. The CVSS v3.1 score of 9.3 reflects the high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The scope is changed (S:C), indicating that exploitation can affect resources beyond the vulnerable component. The impact on confidentiality is high (C:H), while integrity is not impacted (I:N), and availability impact is low (A:L). This means an attacker can extract sensitive data from the backend database without modifying data or causing significant service disruption. The vulnerability affects e-commerce websites using this plugin to manage product pricing via spreadsheets, potentially exposing customer data, pricing strategies, or other sensitive business information. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that organizations should prioritize monitoring and mitigation. The plugin is widely used in WooCommerce and WP E-commerce environments, which are popular e-commerce platforms on WordPress, making this vulnerability relevant to many online retailers.

For European organizations, the impact of this vulnerability can be significant, especially for small to medium-sized enterprises (SMEs) and larger retailers relying on WooCommerce or WP E-commerce platforms with the affected plugin. Exploitation could lead to unauthorized disclosure of sensitive customer information, including personal data protected under GDPR, potentially resulting in regulatory penalties and reputational damage. The confidentiality breach could expose payment details, pricing models, or inventory data, undermining competitive advantage and customer trust. Although integrity and availability impacts are limited, the data leakage alone is critical. Additionally, attackers could leverage the information gained for further attacks, such as phishing or fraud. Given the criticality and ease of exploitation without authentication or user interaction, European e-commerce sites are at high risk if they have not updated or mitigated this vulnerability. This risk is compounded by the widespread use of WordPress-based e-commerce solutions in Europe.

Specific mitigation steps include: 1) Immediate identification of all WordPress sites using the Holest Engineering Spreadsheet Price Changer plugin for WooCommerce and WP E-commerce – Light, especially versions up to 2.4.37. 2) Applying vendor patches as soon as they become available; in the absence of patches, temporarily disabling or uninstalling the plugin to eliminate the attack surface. 3) Implementing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the plugin’s endpoints. 4) Conducting thorough input validation and sanitization on any user-supplied data related to pricing spreadsheets, if custom modifications exist. 5) Monitoring logs for unusual database queries or access patterns indicative of exploitation attempts. 6) Ensuring that database users have the least privileges necessary to limit data exposure if injection occurs. 7) Educating site administrators on the risks and signs of SQL injection attacks. 8) Regularly backing up databases and website data to enable recovery in case of compromise. These measures go beyond generic advice by focusing on plugin-specific detection and containment strategies.