CVE-2025-30765
Published: 27 March 2025
Summary
CVE-2025-30765 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-30765 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, enabling Blind SQL Injection, in the WPPOOL FlexStock stock-sync-with-google-sheet-for-woocommerce WordPress plugin. This issue affects FlexStock versions from n/a through 3.13.1. The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L) and is associated with CWE-89. It was published on 2025-03-27.
Exploitation requires high privileges (PR:H), allowing authenticated attackers with such access to target the vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation results in high confidentiality impact (C:H) through data extraction via blind SQL injection, low availability impact (A:L), no integrity impact (I:N), and a changed scope (S:C), potentially compromising sensitive database information.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/stock-sync-with-google-sheet-for-woocommerce/vulnerability/wordpress-flexstock-3-13-1-sql-injection-vulnerability?_s_id=cve provides further details on the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8405
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPPOOL FlexStock stock-sync-with-google-sheet-for-woocommerce allows Blind SQL Injection.This issue affects FlexStock: from n/a through <= 3.13.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in a public-facing WordPress plugin directly enables exploitation of the web application for database data extraction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation and sanitization of all inputs used in SQL commands, directly preventing blind SQL injection exploits like CVE-2025-30765.
SI-2 mandates timely flaw remediation, including patching or removing the vulnerable FlexStock plugin versions <=3.13.1 affected by this SQL injection.
AC-6 enforces least privilege to minimize the number of high-privilege (PR:H) accounts that could exploit this privilege-required SQL injection vulnerability.