WC Lovers WCFM Marketplace SQL Injection Vulnerability (CVE-2025-63029)

CVE-2025-63029 describes an SQL Injection vulnerability affecting the WC Lovers WCFM (WooCommerce Frontend Manager) Marketplace WordPress plugin. This vulnerability, present in versions up to and including 3.7.1, stems from improper neutralization of special elements within SQL commands. An attacker exploiting this flaw can inject malicious SQL code, potentially leading to unauthorized data access, modification, or deletion within the WordPress database. Given the widespread use of WordPress and the WCFM Marketplace plugin, this vulnerability poses a significant risk to e-commerce websites and their associated sensitive information. Successful exploitation could result in compromised customer data, financial losses, and reputational damage.

Attack Chain

1. The attacker identifies a vulnerable WCFM Marketplace instance running a version <= 3.7.1.
2. The attacker crafts a malicious HTTP request containing SQL injection payloads in a vulnerable parameter.
3. The WCFM Marketplace plugin fails to properly sanitize the attacker-controlled input.
4. The unsanitized input is incorporated into an SQL query executed against the WordPress database.
5. The injected SQL code modifies the intended query logic.
6. The database server executes the attacker’s malicious SQL query.
7. The attacker gains unauthorized access to sensitive data stored in the database, such as user credentials, financial information, or product details.
8. The attacker may modify or delete data, escalate privileges, or potentially gain control of the WordPress site.

Impact

Successful exploitation of CVE-2025-63029 can have severe consequences. An attacker could gain complete control over the affected WordPress site’s database. This can lead to the theft of sensitive customer data (e.g., usernames, passwords, addresses, payment information), modification of product listings and pricing, or even complete site defacement or takeover. The number of potentially affected sites is substantial, considering the popularity of the WCFM Marketplace plugin.

Recommendation

• Upgrade the WC Lovers WCFM Marketplace plugin to the latest available version, which includes a patch for CVE-2025-63029.
• Deploy the Sigma rule “Detect Suspicious WCFM Marketplace SQL Injection Attempts” to your SIEM to identify potential exploitation attempts targeting this vulnerability.
• Monitor web server logs for suspicious HTTP requests containing potential SQL injection payloads targeting the WCFM Marketplace plugin.
• Review and harden database access controls to minimize the impact of potential SQL injection attacks.