cbcvebase.
CVE-2025-47608
published 2025-06-09

CVE-2025-47608: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in sonalsinha21 Recover abandoned cart for WooCommerce…

PriorityP265critical9.3CVSS 3.1
AVNACLPRNUINSCCHINAL
EXPLOIT
EPSS
0.66%
47.0th percentile
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in sonalsinha21 Recover abandoned cart for WooCommerce recover-wc-abandoned-cart allows SQL Injection.This issue affects Recover abandoned cart for WooCommerce: from n/a through <= 2.5.

Affected

1 ranges
VendorProductVersion rangeFixed in
sonalsinha21recover_abandoned_cart_for_woocommerce<= 2.5

Detection & IOCsextracted from sources · hover to see the quote

cookiewp_woocommerce_session
otherbilling_first_name
othersave_data
  • Monitor WordPress AJAX requests targeting the save_data action with anomalous or SQL-syntax-containing values in the billing_first_name parameter.
  • Flag requests that carry a wp_woocommerce_session cookie alongside suspicious billing_first_name payloads, as a valid session cookie with at least one cart item is a prerequisite for exploitation.
  • The vulnerability is unauthenticated — no WordPress login session is needed, only a WooCommerce session cookie, so WAF rules should not rely on authenticated-user context to filter these requests.
  • ·The NVD entry references the plugin 'recover-wc-abandoned-cart' (sonalsinha21) affected through version 2.5, while the Metasploit module references a different 'Abandoned Cart for WooCommerce' plugin affected prior to version 5.8.2. Verify which plugin slug is present in the target environment before applying detections.
  • ·Exploitation requires the attacker to first obtain or generate a valid wp_woocommerce_session cookie with at least one item in the cart; detections should account for this prerequisite step (e.g., a prior POST to add-to-cart).
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.