CVE-2025-3280: 
WordPress vulnerability analysis and mitigation

The ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes plugin for WordPress contains an SQL Injection vulnerability (CVE-2025-3280) discovered in April 2025. The vulnerability affects all versions up to and including 1.4.9. The plugin has been temporarily closed since April 23, 2025, pending a full security review (NVD, WordPress Plugin).

The vulnerability exists due to insufficient escaping of the 'attributevaluefilter' parameter and lack of proper preparation in existing SQL queries. The issue has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command (NVD).

When exploited, this vulnerability allows authenticated attackers with Subscriber-level access or higher to append additional SQL queries to existing queries. This capability can be leveraged to extract sensitive information from the database (NVD).

As of April 23, 2025, the plugin has been temporarily closed and is not available for download pending a full security review. Users are advised to disable and remove the plugin until a patched version becomes available (WordPress Plugin).