WCFM Marketplace SQLi: High-Severity Flaw Patched
The National Vulnerability Database (NVD) has documented a critical SQL Injection vulnerability, identified as CVE-2025-63029, within WC Lovers’ WCFM Marketplace plugin. This flaw, categorized under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), carries a CVSS v3.1 score of 7.6, labeling it as a HIGH severity issue.
According to the National Vulnerability Database, the vulnerability affects WCFM Marketplace versions up to and including 3.7.1. While specific affected products weren’t detailed beyond the plugin itself, this type of SQLi typically allows authenticated attackers (specifically, those with high privileges, indicated by PR:H in the CVSS vector) to execute arbitrary SQL commands. This can lead to serious consequences, including unauthorized data exposure (C:H) and potential system compromise, though the impact on integrity and availability is noted as lower (I:N, A:L).
Related ATT&CK Techniques
🛡️ Detection Rules
6 rules · 6 SIEM formats6 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, QRadar AQL, and Wazuh.
Web Application Exploitation Attempt — CVE-2025-63029
Want this in your SIEM's native format? Get Splunk SPL, Sentinel KQL, Elastic, QRadar AQL, or Wazuh — ready to paste.
6 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.
Get All SIEM Formats →Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2025-63029 | SQLi | WC Lovers WCFM Marketplace |
| CVE-2025-63029 | SQLi | WCFM Marketplace versions through 3.7.1 |
| CVE-2025-63029 | SQLi | CWE-89 |
Related Posts
Velociraptor Vulnerability Exposes Multi-Org Data
CVE-2026-6290 — Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL...
CVE-2026-33214 — Weblate is a web based localization tool. In versions prior
CVE-2026-33214 — Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't...
Git for Windows NTLM Hash Leak Poses Credential Risk
CVE-2026-32631 — Git for Windows is the Windows port of Git. Versions prior to 2.53.0.windows.3 do not have protections that prevent attackers from obtaining a...