A critical SQL injection vulnerability (CVE-2025-30807) has been identified in the Next-Cart Store to WooCommerce Migration plugin, affecting versions up to 3.9.4. The flaw, rated 9.3 (CRITICAL) on the CVSS scale, allows attackers to execute arbitrary SQL commands due to improper neutralization of special elements in database queries1. The plugin, used for migrating eCommerce data from 80+ platforms to WooCommerce, had over 10,000 active installations prior to the disclosure2.
Technical Analysis
The vulnerability stems from unsanitized user input in migration request handlers. Attackers can inject malicious SQL payloads through crafted HTTP requests during the data transfer process. Successful exploitation could lead to complete database compromise, including access to customer records, order histories, and administrative credentials. The plugin’s architecture, which supports direct SQL imports from source platforms, exacerbates the risk2.
Version 3.9.5, released shortly after the disclosure, includes security patches addressing this issue. The update implements parameterized queries and input validation for all database operations. Previous versions lacked proper sanitization for custom field mappings and CSV import functions, two primary attack vectors for this vulnerability1.
Impact and Mitigation
Organizations using affected versions should immediately upgrade to 3.9.5 or later. For environments where immediate patching isn’t feasible, temporary mitigation includes:
- Restricting plugin access to authenticated administrators only
- Implementing WAF rules to block SQL injection patterns
- Monitoring database logs for unusual query patterns
The plugin’s widespread use in multilingual eCommerce migrations (supporting WPML/Polylang) increases the potential impact, as compromised stores could expose sensitive customer data across multiple regions2. Forensic analysis should focus on the wp_nextcart_migration_log table, which records transfer attempts and may contain evidence of exploitation.
Detection and Response
Security teams should search for these indicators of compromise:
| Indicator | Description |
|---|---|
| Database queries containing unusual UNION SELECT statements | Common SQL injection payload structure |
| Unexpected wp_nextcart_% tables | Potential attacker-created persistence mechanisms |
| Abnormal traffic to /wp-admin/admin-ajax.php?action=nextcart_migrate | Primary vulnerable endpoint |
Wordfence and Patchstack have released detection rules for this vulnerability. Organizations should prioritize reviewing migration logs from unpatched systems, particularly focusing on transfers initiated from unexpected IP addresses2.
Conclusion
CVE-2025-30807 represents a significant risk to WooCommerce implementations using the Next-Cart migration plugin. The critical severity rating reflects both the ease of exploitation and potential business impact. While the maintainers have responded promptly with patches, the window of vulnerability between disclosure and patching leaves many installations exposed. This incident underscores the importance of vetting third-party plugins in eCommerce environments, particularly those handling sensitive customer data.
The vulnerability’s discovery follows the plugin’s recent expansion to support additional platforms (including eBay and Lightspeed), which may have introduced the flawed code paths. Future security assessments should pay special attention to data transformation utilities in migration tools, as these frequently require careful input handling2.
