{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69337", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:23.433Z", "datePublished": "2026-02-20T15:46:50.197Z", "dateUpdated": "2026-04-28T20:53:55.871Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "wolmart-core", "product": "Wolmart Core", "vendor": "don-themes", "versions": [{"changes": [{"at": "1.9.7", "status": "unaffected"}], "lessThanOrEqual": "1.9.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:45.732Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in don-themes Wolmart Core wolmart-core allows Blind SQL Injection.<p>This issue affects Wolmart Core: from n/a through <= 1.9.6.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in don-themes Wolmart Core wolmart-core allows Blind SQL Injection.This issue affects Wolmart Core: from n/a through <= 1.9.6."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:37.906Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wolmart-core/vulnerability/wordpress-wolmart-core-plugin-1-9-6-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Wolmart Core plugin <= 1.9.6 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T19:28:50.383379Z", "id": "CVE-2025-69337", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T20:53:55.871Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69337", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-24T19:28:50.383379Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T19:33:14.108Z"}}], "cna": {"title": "WordPress Wolmart Core plugin <= 1.9.6 - SQL Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "affected": [{"vendor": "don-themes", "product": "Wolmart Core", "versions": [{"status": "affected", "changes": [{"at": "1.9.7", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.9.6"}], "packageName": "wolmart-core", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:03:45.732Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wolmart-core/vulnerability/wordpress-wolmart-core-plugin-1-9-6-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in don-themes Wolmart Core wolmart-core allows Blind SQL Injection.This issue affects Wolmart Core: from n/a through <= 1.9.6.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in don-themes Wolmart Core wolmart-core allows Blind SQL Injection.<p>This issue affects Wolmart Core: from n/a through <= 1.9.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:13:18.022Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69337", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:13:18.022Z", "dateReserved": "2025-12-31T20:12:23.433Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:50.197Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in don-themes Wolmart Core wolmart-core allows Blind SQL Injection.This issue affects Wolmart Core: from n/a through <= 1.9.6."}, {"lang": "es", "value": "Vulnerabilidad de Neutralizaci\u00f3n Incorrecta de Elementos Especiales utilizados en un Comando SQL ('Inyecci\u00f3n SQL') en don-themes Wolmart Core wolmart-core permite Inyecci\u00f3n SQL Ciega. Este problema afecta a Wolmart Core: desde n/a hasta &lt;= 1.9.6."}], "id": "CVE-2025-69337", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:20.457", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wolmart-core/vulnerability/wordpress-wolmart-core-plugin-1-9-6-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.9.6]"}}], "enrichment": {"confidence": 82.0, "confidence_source": "matching", "scores": [{"score": 82.0, "source": "matching"}]}, "original": {"product": "Wolmart Core", "source": "cna", "vendor": "don-themes"}, "product": "wolmart", "vendor": "d-themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T09:31:09.629434+00:00", "value": {"mitigation_remediation": ["Update the Wolmart Core plugin to a version newer than 1.9.6.", "If an update cannot be performed immediately, disable or remove the Wolmart Core plugin to eliminate the vulnerable code path.", "Deploy a web application firewall or similar filtering solution to block HTTP requests that contain typical SQL injection patterns targeting the plugin\u2019s endpoints."], "summary": {"action": "Apply Patch", "impact": "Blind SQL injection that permits data extraction"}, "threat_synthesis": {"affected_systems": "The WordPress Wolmart Core plugin from don\u2011themes is vulnerable in all releases up to and including version 1.9.6. Users who run any of these versions on a WordPress site are at risk, particularly when the plugin\u2019s endpoints are reachable from the internet.", "description_and_impact": "Improper neutralization of special elements in an SQL command in the Wolmart Core plugin introduces a blind SQL injection flaw. The vulnerability can be exploited by supplying crafted input to the plugin, allowing an attacker to infer information from the database through response analysis. This capability may lead to data compromise, as sensitive information can be disclosed. The weakness is classified as CWE\u201189.", "risk_and_exploitability": "The CVSS base score of 9.3 indicates a critical severity. An EPSS score of <1% suggests a low but nonzero likelihood of exploitation at the time of analysis, and the flaw is not listed in the CISA KEV catalog. While the CVE description does not specify an attack vector, it is inferred that an attacker can initiate the injection remotely through HTTP requests to the plugin\u2019s input points without needing authenticated access. Consequently, sites exposing the vulnerable plugin to external traffic face a substantial risk of data extraction."}}}}, "created": "2026-02-23T14:37:27.141381+00:00", "updated": "2026-04-28T09:45:28.441972+00:00", "vendors": ["d-themes", "d-themes$PRODUCT$wolmart", "wordpress", "wordpress$PRODUCT$wordpress"]}