CVE-2025-10142 in PagBank PagSeguro Connect para WooCommerce Plugin
Summary
by MITRE • 09/10/2025
The PagBank / PagSeguro Connect para WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'status' parameter in all versions up to, and including, 4.44.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/10/2025
The CVE-2025-10142 vulnerability affects the PagBank / PagSeguro Connect para WooCommerce plugin, a widely used payment processing solution for WordPress e-commerce sites. This vulnerability represents a critical security flaw that allows authenticated attackers with Shop Manager privileges or higher to exploit SQL injection weaknesses within the plugin's database interaction mechanisms. The vulnerability specifically targets the 'status' parameter handling, which serves as an entry point for malicious SQL command injection attempts.
The technical flaw stems from inadequate input sanitization and improper SQL query preparation practices within the plugin's codebase. When the 'status' parameter is processed, the plugin fails to properly escape or parameterize user-supplied input before incorporating it into database queries. This insufficient escaping creates a pathway for attackers to manipulate the intended query structure and inject arbitrary SQL commands. The vulnerability exists across all versions up to and including 4.44.3, indicating a persistent flaw in the plugin's database interaction implementation that has not been adequately addressed in the affected releases.
The operational impact of this vulnerability is significant for affected WordPress installations, as it enables authenticated attackers to extract sensitive information from the underlying database. Attackers with Shop Manager-level access can leverage this vulnerability to perform unauthorized data extraction operations, potentially accessing customer information, transaction records, payment details, and other confidential business data stored within the WordPress database. The vulnerability's exploitation requires only a relatively low privilege level, making it particularly dangerous as it can be exploited by users who already have administrative capabilities within the WooCommerce environment.
From a cybersecurity perspective, this vulnerability aligns with CWE-89, which specifically addresses SQL injection flaws in software applications. The issue demonstrates poor input validation and output encoding practices that violate fundamental security principles for database interactions. The ATT&CK framework categorizes this as a database access technique where adversaries leverage application-level vulnerabilities to extract sensitive information. Organizations using this plugin face increased risk of data breaches, regulatory compliance violations, and potential financial losses due to unauthorized access to customer payment information and business-critical data.
Mitigation strategies should prioritize immediate plugin updates to versions that address the SQL injection vulnerability, ensuring that the latest security patches are applied to eliminate the exploitation vector. System administrators should implement additional monitoring of database queries and access patterns to detect anomalous activity that might indicate exploitation attempts. Network segmentation and principle of least privilege access controls can help limit the potential damage if an attacker successfully exploits the vulnerability. Regular security audits of third-party plugins and automated vulnerability scanning should be implemented as part of comprehensive security monitoring programs to identify similar weaknesses in other installed software components.