CVE-2025-23967
📋 TL;DR
This SQL injection vulnerability in the GG Bought Together for WooCommerce WordPress plugin allows attackers to execute arbitrary SQL commands on the database. All WordPress sites using vulnerable versions of this plugin are affected, potentially leading to data theft, modification, or deletion.
💻 Affected Systems
- GG Bought Together for WooCommerce WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including sensitive customer data (personal information, payment details), administrative takeover of the WordPress site, and potential server compromise if database permissions allow file system access.
Likely Case
Data exfiltration of WooCommerce customer information, order history, and potentially credential theft from WordPress user tables.
If Mitigated
Limited impact with proper database user permissions, though still allows unauthorized data access within the plugin's database context.
🎯 Exploit Status
SQL injection vulnerabilities in WordPress plugins are frequently weaponized quickly. The CVE description suggests unauthenticated access is possible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.3 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'GG Bought Together for WooCommerce'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.0.3+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the GG Bought Together plugin until patched
wp plugin deactivate gg-bought-together
Web Application Firewall (WAF) rules
allImplement SQL injection detection and blocking rules
🧯 If You Can't Patch
- Implement strict database user permissions limiting plugin database account to SELECT-only operations
- Deploy a web application firewall with SQL injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for GG Bought Together version. If version is 1.0.2 or earlier, you are vulnerable.Check Version:
wp plugin get gg-bought-together --field=versionVerify Fix Applied:
Verify plugin version is 1.0.3 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in WordPress or database logs
- Multiple failed SQL syntax attempts
- Unexpected database errors in WordPress debug logs
Network Indicators:
- HTTP requests with SQL syntax in parameters (UNION, SELECT, etc.)
- Abnormal traffic patterns to WooCommerce product pages
SIEM Query:
source="wordpress.log" AND "gg-bought-together" AND ("SQL" OR "database error" OR "mysql")