CVE-2025-63029
Published: 15 April 2026
Summary
CVE-2025-63029 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-63029 is an Improper Neutralization of Special Elements used in an SQL Command vulnerability, classified as SQL Injection (CWE-89), affecting the WC Lovers WCFM Marketplace plugin (wc-multivendor-marketplace) for WordPress. The issue impacts versions from n/a through 3.7.1, as published on 2026-04-15.
The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L), indicating network accessibility with low attack complexity. Exploitation requires high privileges (PR:H), such as those held by authenticated users like marketplace vendors or administrators, and no user interaction. Attackers can achieve high confidentiality impact by extracting sensitive data across a changed scope, with low availability impact and no integrity impact.
Patchstack advisories document the vulnerability, with details available at https://patchstack.com/database/Wordpress/Plugin/wc-multivendor-marketplace/vulnerability/wordpress-wcfm-marketplace-plugin-3-7-1-sql-injection-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-209485
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows SQL Injection.This issue affects WCFM Marketplace: from n/a through <= 3.7.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing WordPress plugin directly enables exploitation of the web app (T1190) and extraction of database contents (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly and comprehensively mitigates SQL injection by requiring validation and sanitization of untrusted inputs used in SQL commands within the WordPress plugin.
Ensures timely identification, prioritization, and patching of the specific SQL injection flaw in WCFM Marketplace versions up to 3.7.1.
Web application firewalls at system boundaries can inspect traffic and block SQL injection attempts targeting the vulnerable plugin.