CVE-2025-22710
Published: 21 January 2025
Summary
CVE-2025-22710 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Databases (T1213.006); ranked in the top 4.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-22710 is a blind SQL injection vulnerability (CWE-89) in the StoreApps Smart Manager plugin for WordPress, also known as smart-manager-for-wp-e-commerce. The flaw stems from improper neutralization of special elements in SQL commands and affects all versions through 8.52.0.
An attacker with high privileges can exploit the issue over the network with low attack complexity and no user interaction required. Successful exploitation yields high confidentiality impact and limited availability effects under a changed scope, allowing the attacker to extract sensitive database contents via blind SQL injection techniques.
The Patchstack advisory for this vulnerability recommends updating the Smart Manager plugin beyond version 8.52.0 to remediate the SQL injection flaw. The EPSS score has reached 0.1933 with no subsequent rise from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2934
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in storeapps Smart Manager smart-manager-for-wp-e-commerce allows Blind SQL Injection.This issue affects Smart Manager: from n/a through <= 8.52.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The blind SQL injection vulnerability directly enables extraction of sensitive data from the underlying database, mapping to collection from information repositories specifically databases.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents SQL injection by requiring validation and neutralization of special elements in user inputs before incorporation into SQL commands.
SI-2 ensures timely patching and remediation of the specific Blind SQL Injection flaw in the Smart Manager plugin versions through 8.52.0.
RA-5 requires vulnerability scanning that identifies SQL injection vulnerabilities like CVE-2025-22710 in WordPress plugins, enabling remediation.