CVE-2025-26875: 
WordPress vulnerability analysis and mitigation

The Multiple Shipping And Billing Address For Woocommerce plugin version 1.3 and earlier contains an SQL Injection vulnerability (CVE-2025-26875). This critical security flaw was discovered by Phan Trong Quan from VNPT Cyber Immunity and was publicly disclosed on March 3, 2025. The vulnerability affects the plugin through version 1.3, with a fix available in version 1.5 (Patchstack).

The vulnerability is classified as an SQL Injection (CWE-89), which involves improper neutralization of special elements used in SQL commands. The severity of this vulnerability is rated as Critical with a CVSS v3.1 score of 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L). The vulnerability is particularly concerning as it can be exploited without authentication (Patchstack).

This vulnerability is considered highly dangerous and is expected to become mass exploited. It allows malicious actors to directly interact with the database, potentially leading to unauthorized access to sensitive information. The high CVSS score indicates severe potential impact on system confidentiality (Patchstack).

Users are strongly advised to update to version 1.5 or later of the Multiple Shipping And Billing Address For Woocommerce plugin immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).