The B1.lt plugin for WordPress is vulnerable to SQL Injection due to a missing capability check on the b1_run_query AJAX action in all versions up to, and including, 2.2.56. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute and run arbitrary SQL commands.
Metrics
Affected Vendors & Products
References
History
Fri, 18 Jul 2025 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Fri, 18 Jul 2025 05:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The B1.lt plugin for WordPress is vulnerable to SQL Injection due to a missing capability check on the b1_run_query AJAX action in all versions up to, and including, 2.2.56. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute and run arbitrary SQL commands. | |
Title | B1.lt for WooCommerce <= 2.2.56 - Missing Authorization to Authenticated (Subscriber+) Arbitrary SQL Injection | |
Weaknesses | CWE-862 | |
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: Wordfence
Published: 2025-07-18T05:23:57.362Z
Updated: 2025-07-18T14:56:18.412Z
Reserved: 2025-06-26T13:40:59.684Z
Link: CVE-2025-6718

Updated: 2025-07-18T14:54:28.442Z

Status : Awaiting Analysis
Published: 2025-07-18T06:15:27.453
Modified: 2025-07-22T13:06:27.983
Link: CVE-2025-6718

No data.