Cyber Resilience

CVE-2025-30791

High

Published: 27 March 2025

Published
27 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.0050 66.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30791 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Databases (T1213.006); ranked in the top 33.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-30791 is an SQL Injection vulnerability (CWE-89) stemming from improper neutralization of special elements used in an SQL command. It affects the Cart tracking for WooCommerce plugin (cart-tracking-for-woocommerce) developed by wpdever, impacting all versions from n/a through 1.0.16.

The vulnerability can be exploited over the network (AV:N) with low attack complexity (AC:L), requiring high privileges (PR:H) and no user interaction (UI:N). Attackers can achieve high confidentiality impact (C:H) such as unauthorized data access, low availability impact (A:L), and scope change (S:C), resulting in a CVSS v3.1 base score of 7.6.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/cart-tracking-for-woocommerce/vulnerability/wordpress-cart-tracking-for-woocommerce-plugin-1-0-16-sql-injection-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpdever Cart tracking for WooCommerce cart-tracking-for-woocommerce allows SQL Injection.This issue affects Cart tracking for WooCommerce: from n/a through <= 1.0.16.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

The SQL Injection vulnerability (CWE-89) directly enables arbitrary database queries, facilitating unauthorized data access from the application's database (high confidentiality impact).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-30571Shared CWE-89
CVE-2024-57775Shared CWE-89
CVE-2026-29081Shared CWE-89
CVE-2026-48232Shared CWE-89
CVE-2026-32366Shared CWE-89
CVE-2024-57770Shared CWE-89
CVE-2025-23784Shared CWE-89
CVE-2025-22710Shared CWE-89
CVE-2025-31466Shared CWE-89
CVE-2026-40745Shared CWE-89

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates SQL injection by requiring validation of user inputs to neutralize special elements before use in SQL commands.

prevent

Requires timely patching and remediation of the specific flaw in the Cart tracking for WooCommerce plugin versions <=1.0.16.

detect

Enables proactive identification of the SQL injection vulnerability through regular vulnerability scanning of plugins and web applications.

References