CVE-2025-1311 - SQL Injection Vulnerability in WooCommerce Multivendor Marketplace – REST API Plugin (WordPress)

A new and serious security flaw (CVE-2025-1311) was recently discovered in the popular WooCommerce Multivendor Marketplace – REST API plugin for WordPress. This vulnerability allows attackers with at least Subscriber access to perform SQL injection attacks, putting sensitive data at risk for all websites using plugin versions up to and including 1.6.2.

If you operate a WordPress website with this plugin, it is critical you understand the issue and act immediately.

What is CVE-2025-1311?

CVE-2025-1311 is an SQL Injection vulnerability found in the update_delivery_status() function of the plugin’s REST API. The problem arises due to:

Improper SQL preparation: The SQL queries fed with user data aren’t safely parameterized.

As a result, an attacker with even the lowest-level user account can send specially-crafted requests to manipulate database queries—potentially leaking passwords, emails, or any sensitive database info.

Technical Details (How the Attack Works)

The vulnerable function expects an "id" parameter via the REST API to update order delivery statuses. But this value isn’t properly sanitized. By injecting malicious SQL code into the "id" parameter, an attacker can manipulate the query.

Affected versions:

All versions up to and including 1.6.2.

Required privilege level:
Subscriber and above (so, any logged-in user).

The plugin contains code similar to this (simplified for clarity)

public function update_delivery_status( $request ) {
    global $wpdb;
    $id = $request->get_param( 'id' ); // No validation or escaping!

    // Vulnerable SQL query
    $result = $wpdb->query( "UPDATE {$wpdb->prefix}mvm_orders SET status = 'delivered' WHERE id = $id" );

    if ($result) {
        return new WP_REST_Response( 'Status updated.', 200 );
    }
    return new WP_REST_Response( 'Error updating status.', 400 );
}

If an attacker supplies something like

id=1 OR 1=1

The SQL becomes

UPDATE wp_mvm_orders SET status = 'delivered' WHERE id = 1 OR 1=1

This query would update *every* record (or worse, if you append new queries with ;).

Suppose a logged-in Subscriber sends a REST API request like

POST /wp-json/mvm/v1/orders/update_delivery_status/
Authorization: Bearer [valid_jwt_token]
Content-Type: application/json

{
  "id": "1 OR (SELECT 1 FROM wp_users WHERE user_login = 'admin' AND user_pass LIKE '%$P$%')"
}

This will force the database to execute the injected SQL. An advanced attacker could use blind SQL injection to enumerate data in the database, for example, leaking admin password hashes.

Escalate privileges: Potentially find a pathway to get higher-level accounts.

- Plant backdoors: If paired with another vulnerability, attackers could completely take over the site.

Update Immediately:

The plugin author should be contacted or monitored for a patched version (1.6.3+). If you use WooCommerce Multivendor Marketplace – REST API, disable the plugin until it’s fixed.

Sanitize Data:

If you must use the plugin and can directly edit the code, use $wpdb->prepare() for all SQL queries, e.g.:

$wpdb->prepare("UPDATE {$wpdb->prefix}mvm_orders SET status = %s WHERE id = %d", 'delivered', $id)

);

Monitor Logs:

Look for suspicious POST requests to /wp-json/mvm/v1/orders/update_delivery_status/. Look for odd "id" parameters.

References

- Plugin listing on WordPress.org
- WPScan CVE Entry for CVE-2025-1311 – once available.
- Wordfence Threat Intelligence Blog – for general plugin advisories.
- OWASP SQL Injection

Conclusion

CVE-2025-1311 is a severe security risk for any WordPress website using WooCommerce Multivendor Marketplace – REST API up to v1.6.2. Even trusted low-level users can exploit it to access or manipulate the site’s database.

Patch your site and plugins as soon as possible.
Always validate and sanitize user input, especially if constructing dynamic SQL.

For WordPress, well-written plugins should always use $wpdb->prepare().
If you’re not comfortable handling this yourself, get help from a qualified developer or security professional.

*Stay secure! If in doubt, disable the vulnerable plugin until a fix is available.*


*Exclusive coverage, prepared for WordPress admins by an independent security enthusiast. For questions: [Contact Me](#) (link not real).*

Timeline

Published on: 03/22/2025 07:15:24 UTC