WooMail WooCommerce Email Customizer Missing Authorization Vulnerability Allowing SQL Injection

Vulnerability

A vulnerability exists in the WooMail - WooCommerce Email Customizer plugin for WordPress, in all versions through 3.0.34. The issue arises from a lack of proper capability checks in the 'template_delete_saved' function, allowing authenticated attackers with Subscriber-level access or higher to inject SQL into a post deletion query, potentially leading to unauthorized data manipulation.

Impact

Exploitation of this vulnerability could result in unauthorized SQL injection, allowing attackers to manipulate database queries and potentially access or modify sensitive data.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WooMail WooCommerce Email Customizer Missing Authorization Vulnerability Allowing SQL Injection

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating