SQL Injection Vulnerability in WCFM Marketplace by WC Lovers
CVE-2025-63029

7.6HIGH

Key Information:

Vendor: WordPress
Status: Wcfm Marketplace
Vendor: CVE Published:; 15 April 2026

What is CVE-2025-63029?

The WCFM Marketplace plugin by WC Lovers is susceptible to an SQL injection flaw that enables attackers to manipulate database queries. This vulnerability could allow unauthorized individuals to execute arbitrary SQL code, potentially leading to data theft or corruption. The issue affects all versions up to 3.7.1, highlighting the importance of timely updates and security measures to protect user data in WordPress environments.

Affected Version(s)

WCFM Marketplace <= 3.7.1

References

https://patchstack.com/database/wordpress/plugin/wc-multi...

vdb-entry

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Oct 24, 2025

Credit

Martino Spagnuolo (r3verii) | Patchstack Bug Bounty Program

CVE-2025-63029 Data

JSON