CVE-2025-3428 – The 3DPrint Lite WordPress plugin contains an S... (How to Fix)

📋 TL;DR

The 3DPrint Lite WordPress plugin contains an SQL injection vulnerability in the 'coating_text' parameter that allows unauthenticated attackers to execute arbitrary SQL queries. This can lead to unauthorized access to sensitive database information. All WordPress sites using 3DPrint Lite version 2.1.3.6 or earlier are affected.

💻 Affected Systems

Products:

3DPrint Lite WordPress Plugin

Versions: All versions up to and including 2.1.3.6

Operating Systems: All platforms running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin activated.

📦 What is this software?

3dprint Lite by Wp3dprinting

View all CVEs affecting 3dprint Lite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers extract sensitive data including user credentials, personal information, and administrative access, potentially leading to complete site compromise.

🟠

Likely Case

Attackers extract database contents such as user emails, hashed passwords, and plugin configuration data.

🟢

If Mitigated

Limited information disclosure if database permissions are properly restricted and sensitive data is encrypted.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via GET/POST parameters requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2.1.3.6

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3249784%403dprint-lite&new=3249784%403dprint-lite&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 3DPrint Lite and click 'Update Now'
4. Verify plugin version is greater than 2.1.3.6

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the vulnerable plugin until patched

wp plugin deactivate 3dprint-lite

Web Application Firewall Rule

all

Block requests containing SQL injection patterns targeting coating_text parameter

🧯 If You Can't Patch

Implement strict input validation and parameterized queries in custom code
Restrict database user permissions to SELECT only for the plugin's tables

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → 3DPrint Lite version number

Check Version:

wp plugin get 3dprint-lite --field=version

Verify Fix Applied:

Confirm plugin version is greater than 2.1.3.6 and test coating_text parameter with SQL injection payloads

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in WordPress debug logs
Multiple requests with SQL keywords in coating_text parameter

Network Indicators:

HTTP requests containing SQL injection patterns in GET/POST parameters

SIEM Query:

source="wordpress.log" AND "coating_text" AND ("UNION" OR "SELECT" OR "INSERT" OR "DELETE")

📊 Metadata

CVE ID: CVE-2025-3428

CVSS v3 Score: 4.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

EPSS Score: 0.3% exploit probability (52.8th percentile)

Published: April 8, 2025

Last Updated: July 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3428, you might also want to check these: