{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25371", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:55.300Z", "datePublished": "2026-03-25T16:14:45.995Z", "dateUpdated": "2026-04-06T19:46:06.351Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://codecanyon.net", "defaultStatus": "unaffected", "packageName": "lumise", "product": "Lumise Product Designer", "vendor": "King-Theme", "versions": [{"changes": [{"at": "2.0.9", "status": "unaffected"}], "lessThanOrEqual": "< 2.0.9", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jarno Vos (jrn5151) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:26.154Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in King-Theme Lumise Product Designer lumise allows Blind SQL Injection.<p>This issue affects Lumise Product Designer: from n/a through < 2.0.9.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in King-Theme Lumise Product Designer lumise allows Blind SQL Injection.This issue affects Lumise Product Designer: from n/a through < 2.0.9."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:45.995Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/lumise/vulnerability/wordpress-lumise-product-designer-plugin-2-0-9-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Lumise Product Designer plugin < 2.0.9 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T19:11:45.623999Z", "id": "CVE-2026-25371", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T19:46:06.351Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25371", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T19:11:45.623999Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:11:40.823Z"}}], "cna": {"title": "WordPress Lumise Product Designer plugin < 2.0.9 - SQL Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jarno Vos (jrn5151) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "affected": [{"vendor": "King-Theme", "product": "Lumise Product Designer", "versions": [{"status": "affected", "changes": [{"at": "2.0.9", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "< 2.0.9"}], "packageName": "lumise", "collectionURL": "https://codecanyon.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:26.154Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/lumise/vulnerability/wordpress-lumise-product-designer-plugin-2-0-9-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in King-Theme Lumise Product Designer lumise allows Blind SQL Injection.This issue affects Lumise Product Designer: from n/a through < 2.0.9.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in King-Theme Lumise Product Designer lumise allows Blind SQL Injection.<p>This issue affects Lumise Product Designer: from n/a through < 2.0.9.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:45.995Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25371", "state": "PUBLISHED", "dateUpdated": "2026-04-06T19:46:06.351Z", "dateReserved": "2026-02-02T12:52:55.300Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:45.995Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in King-Theme Lumise Product Designer lumise allows Blind SQL Injection.This issue affects Lumise Product Designer: from n/a through < 2.0.9."}, {"lang": "es", "value": "Vulnerabilidad de neutralizaci\u00f3n incorrecta de elementos especiales utilizados en un comando SQL ('inyecci\u00f3n SQL') en King-Theme Lumise Product Designer lumise permite inyecci\u00f3n SQL ciega. Este problema afecta a Lumise Product Designer: desde n/a hasta &lt; 2.0.9."}], "id": "CVE-2026-25371", "lastModified": "2026-04-06T20:16:21.487", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:47.693", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/lumise/vulnerability/wordpress-lumise-product-designer-plugin-2-0-9-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.9)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "2.0.9"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Lumise Product Designer", "source": "cna", "vendor": "King-Theme"}, "product": "lumise_product_designer", "vendor": "king-theme"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-07T01:29:39.132472+00:00", "value": {"mitigation_remediation": ["Upgrade King\u2011Theme Lumise Product Designer plugin to version 2.0.9 or later", "If an immediate upgrade is not possible, remove or disable the Lumise plugin to eliminate the attack surface", "After upgrading, verify that no unauthorized data has been exposed or modified"], "summary": {"action": "Immediate Patch", "impact": "Data Compromise via Blind SQL Injection"}, "threat_synthesis": {"affected_systems": "King\u2011Theme Lumise Product Designer for WordPress is affected for all versions prior to 2.0.9. Administrators running any of these older plugin releases are at risk if the plugin\u2019s administrative interface is exposed to potential attackers.", "description_and_impact": "The vulnerability arises from improper sanitization of user supplied input that is incorporated into SQL queries, allowing a blind SQL injection attack. An attacker can craft input that leaks database contents or modifies database state without direct feedback, leading to unauthorized data access or persistence of malicious data. This is a classic SQL Injection weakness which is mapped to CWE\u201189 and can undermine the confidentiality and integrity of the application\u2019s data. ", "risk_and_exploitability": "The high CVSS score of 9.3 reflects the severe impact of this flaw, while a very low EPSS score of less than 1 percent suggests limited current exploitation activity. The vulnerability is not present in CISA\u2019s Known Exploited Vulnerabilities catalog. The attack vector is likely remote, executed through crafted HTTP requests to the plugin\u2019s input handling endpoints. Successful exploitation requires the ability to send crafted data to the plugin; no additional authentication or local privileges are indicated in the description. Given the severity, this flaw represents a high risk to any system that uses the vulnerable plugin version."}}}}, "created": "2026-03-25T21:44:50.161352+00:00", "updated": "2026-04-07T08:08:57.373768+00:00", "vendors": ["king-theme", "king-theme$PRODUCT$lumise_product_designer", "wordpress", "wordpress$PRODUCT$wordpress"]}