SQL Injection Vulnerability in Perfect Brands for WooCommerce Plugin by WordPress
CVE-2025-10144

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Perfect Brands For WooCommerce
Vendor: CVE Published:; 24 November 2025

What is CVE-2025-10144?

The Perfect Brands for WooCommerce plugin for WordPress is susceptible to SQL injection attacks through the brands attribute of the products shortcode. This issue arises from inadequate escaping of the user-supplied parameter and insufficient preparation of the existing SQL query. As a result, authenticated attackers with Contributor-level access and above can inject additional SQL queries into current ones, facilitating the extraction of sensitive database information. Users are encouraged to update to the latest version to mitigate this vulnerability.

Affected Version(s)

Perfect Brands for WooCommerce * <= 3.6.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/perfect-woocom...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 24, 2025
Vulnerability Reserved
Sep 8, 2025

Credit

Jonas Benjamin Friedli

JSON