CVE-2025-48281 Scanner

The MyStyle Custom Product Designer is a plugin used with WordPress. It is typically employed by e-commerce businesses and designers who wish to provide a personalized product design interface on their websites. Users can create custom designs for products like clothing, accessories, and other customizable goods. This tool is widely used due to its flexibility and user-friendly interface, making it a go-to solution for many small to medium-sized enterprises. By integrating directly into WordPress, it offers seamless functionality for site administrators.

The vulnerability of concern is SQL Injection, which occurs when an attacker exploits insufficient input validation to append malicious SQL commands to a query. This issue was identified in the MyStyle Custom Product Designer plugin for versions up to and including 3.21.1. When exploited, it allows unauthorized users to access and manipulate database content. The severity of this vulnerability is elevated due to the potential access to sensitive information stored within the database.

In technical terms, the injection point exists where user inputs are improperly sanitized in SQL queries, specifically in the orderby parameter accessed via the '/designs/' endpoint. This makes the system susceptible to time-based blind SQL injection attacks. By injecting additional SQL commands, attackers can eventually access unauthorized data such as user credentials, password hashes, and other private information from the database.

If successfully exploited, an attacker may gain access to administrative accounts or other confidential data, leading to a further compromise of the site's integrity and security. Sensitive user information can be harvested, and the overall database could be manipulated, altered, or corrupted. This exposure could lead to severe reputational damage and financial repercussions for affected businesses.

REFERENCES

• https://nvd.nist.gov/vuln/detail/CVE-2025-48281