CVE-2025-22352: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2025-22352) was discovered in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes plugin versions up to and including 1.4.8. The vulnerability was discovered by Webula and publicly disclosed on January 3, 2025. This security issue affects WordPress installations using the vulnerable plugin versions (WPScan, Patchstack).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command (CWE-89). It occurs due to insufficient escaping of user-supplied parameters and lack of proper preparation in existing SQL queries. The vulnerability has received varying CVSS scores: a CVSS 3.1 score of 7.6 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L from Patchstack, and a CVSS score of 4.9 (MEDIUM) from other sources (NVD, Patchstack).

The vulnerability allows authenticated attackers with shop manager-level access or above to append additional SQL queries to existing queries. This capability can be exploited to extract sensitive information from the database (WPScan).

As of the vulnerability disclosure, no official fix is available for this security issue. The vulnerability affects versions up to and including 1.4.8 of the plugin (Patchstack).