cbcvebase.
CVE-2025-48281
published 2025-06-09

CVE-2025-48281: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mystyleplatform MyStyle Custom Product Designer…

PriorityP178critical9.3CVSS 3.1
AVNACLPRNUINSCCHINAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.31%
67.0th percentile
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mystyleplatform MyStyle Custom Product Designer mystyle-custom-product-designer allows Blind SQL Injection.This issue affects MyStyle Custom Product Designer: from n/a through <= 3.21.1.

Affected

3 ranges
VendorProductVersion rangeFixed in
msrccbl2_libtiff_4.4.0-7_on_cbl_mariner_2.0
msrccm1_libtiff_4.4.0-7_on_cbl_mariner_1.0
mystyleplatformmystyle_custom_product_designer<= 3.21.1

Detection & IOCsextracted from sources · hover to see the quote

versionmystyle-custom-product-designer <= 3.21.1
  • Detect active plugin presence by checking HTTP 200 response body for 'mystyle-custom-product-designer' or 'mystyle-design-profile' strings, which indicates a potentially vulnerable instance.
  • HTTP status code 200 combined with body fingerprint strings is used as the detection condition for vulnerable MyStyle Custom Product Designer installations.
  • The vulnerability is Blind SQL Injection; monitor for anomalous SQL-pattern payloads (e.g., time-based or boolean-based blind injection strings) in requests targeting endpoints served by the mystyle-custom-product-designer WordPress plugin.
  • ·The Nuclei template targets plugin versions through 3.21.1; ensure version detection is part of the scan condition to avoid false positives on patched installations.
  • ·Detection relies on body string matching alone (plugin asset strings in HTML); sites that minify or rename assets may evade this fingerprint-based check.

CVSS provenance

nvdv3.19.3CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vendor_msrc5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.