CVE-2025-48118: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability was discovered in WpExperts Hub Woocommerce Partial Shipment plugin affecting versions through 3.2. The vulnerability (CVE-2025-48118) was disclosed on June 11, 2025, and was reported by security researcher timomangcut (Patchstack).

The vulnerability is classified as a SQL Injection (CWE-89) with a CVSS v3.1 Base Score of 8.5 (HIGH), and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L. The vulnerability requires Subscriber-level privileges to exploit (Wiz, Patchstack).

This vulnerability allows malicious actors to directly interact with the database, potentially leading to unauthorized access to sensitive information. The high CVSS score indicates that this vulnerability is considered highly dangerous and is expected to become mass exploited (Patchstack).

While no official fix is available, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks. Website administrators are advised to implement these mitigations immediately to protect their installations. Users are recommended to update to version 3.3 or later when available (Patchstack).