Cyber Resilience

CVE-2025-22710

High

Published: 21 January 2025

Published
21 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.1933 95.5th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22710 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Databases (T1213.006); ranked in the top 4.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-22710 is a blind SQL injection vulnerability (CWE-89) in the StoreApps Smart Manager plugin for WordPress, also known as smart-manager-for-wp-e-commerce. The flaw stems from improper neutralization of special elements in SQL commands and affects all versions through 8.52.0.

An attacker with high privileges can exploit the issue over the network with low attack complexity and no user interaction required. Successful exploitation yields high confidentiality impact and limited availability effects under a changed scope, allowing the attacker to extract sensitive database contents via blind SQL injection techniques.

The Patchstack advisory for this vulnerability recommends updating the Smart Manager plugin beyond version 8.52.0 to remediate the SQL injection flaw. The EPSS score has reached 0.1933 with no subsequent rise from a lower baseline.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in storeapps Smart Manager smart-manager-for-wp-e-commerce allows Blind SQL Injection.This issue affects Smart Manager: from n/a through <= 8.52.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

The blind SQL injection vulnerability directly enables extraction of sensitive data from the underlying database, mapping to collection from information repositories specifically databases.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-30571Shared CWE-89
CVE-2024-57775Shared CWE-89
CVE-2026-29081Shared CWE-89
CVE-2026-48232Shared CWE-89
CVE-2025-30791Shared CWE-89
CVE-2026-32366Shared CWE-89
CVE-2024-57770Shared CWE-89
CVE-2025-23784Shared CWE-89
CVE-2025-31466Shared CWE-89
CVE-2026-40745Shared CWE-89

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents SQL injection by requiring validation and neutralization of special elements in user inputs before incorporation into SQL commands.

prevent

SI-2 ensures timely patching and remediation of the specific Blind SQL Injection flaw in the Smart Manager plugin versions through 8.52.0.

preventdetect

RA-5 requires vulnerability scanning that identifies SQL injection vulnerabilities like CVE-2025-22710 in WordPress plugins, enabling remediation.

References