CVE-2025-24767: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2025-24767) was discovered in facturaone TicketBAI Facturas para WooCommerce plugin versions through 3.19. The vulnerability was reported on June 9, 2025, by Martino Spagnuolo (r3verii) and assigned a CVSS v3.1 base score of 9.3 (Critical). This vulnerability allows unauthenticated attackers to perform blind SQL injection attacks against affected WordPress installations (Patchstack).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and allows for blind SQL injection attacks. The critical CVSS score of 9.3 is based on the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L, indicating network accessibility, low attack complexity, no privileges required, and no user interaction needed (NVD).

The SQL injection vulnerability could allow malicious actors to directly interact with the database, potentially leading to unauthorized access to sensitive information. The CVSS metrics indicate high confidentiality impact, with potential for data theft and database compromise (Patchstack).

Users are advised to update to version 3.21 or later which contains fixes for this vulnerability. For immediate protection, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).