The WC Lovers WCFM Marketplace plugin for WordPress contains an SQL Injection vulnerability (CVE-2025-63029) affecting versions through 3.7.1. This vulnerability arises from improper neutralization of special elements in SQL commands, enabling an attacker with high privileges to execute crafted SQL queries that can compromise database confidentiality and availability. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L) indicates network attack vector, low attack complexity, required high privileges, no user interaction, scope changed, high confidentiality impact, no integrity impact, and low availability impact. No official patch or vendor advisory is currently available, and no known exploits have been reported.

Successful exploitation could allow a privileged attacker to execute unauthorized SQL commands, potentially leading to disclosure of sensitive data and partial denial of service due to availability impact. Integrity impact is not indicated. The vulnerability requires high privileges, limiting exploitation to authenticated users with elevated rights.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to high-privilege accounts and monitor for suspicious activity related to database queries. Avoid exposing administrative interfaces to untrusted networks.