CVE-2025-52820: 
WordPress vulnerability analysis and mitigation

An SQL Injection vulnerability (CVE-2025-52820) was discovered in the WooCommerce Point Of Sale (POS) plugin affecting versions through 1.4. The vulnerability was reported by Nguyen Kim Sang (HPT Vietnam) on May 14, 2025, and was publicly disclosed on July 24, 2025. This security flaw allows for improper neutralization of special elements used in SQL commands, potentially enabling SQL injection attacks against WordPress installations using the affected plugin (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 8.5 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L. The attack vector is network-based, requires low attack complexity, needs low privileges, and no user interaction. The scope is changed, with high impact on confidentiality and low impact on availability (NVD, AttackerKB).

The SQL injection vulnerability could allow malicious actors to directly interact with the database, potentially leading to unauthorized access to sensitive information. The high CVSS score indicates significant potential impact, particularly on data confidentiality (Patchstack).

No official fix is currently available as the software appears to be abandoned. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks. Users are advised to either implement the virtual patch or consider removing and replacing the plugin with a secure alternative (Patchstack).