CVE-2025-1323

CVE-2025-1323 is a SQL injection vulnerability in the WP-Recall – Registration, Profile, Commerce & More plugin for WordPress, affecting all versions up to and including 16.26.10. The flaw arises from insufficient escaping of the user-supplied 'databeat' parameter combined with a lack of sufficient preparation in the existing SQL query, allowing injection of malicious SQL code.

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity, no required privileges, and no user interaction. Exploitation enables appending additional SQL queries to existing ones, facilitating the extraction of sensitive information from the database. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection').

Mitigation details are available in advisories and patches referenced in the CVE, including a WordPress plugin trac changeset at https://plugins.trac.wordpress.org/changeset/3250094/wp-recall/trunk/add-on/rcl-chat/core.php, which addresses the vulnerable core.php file, and a Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/ae5b4d81-c2f1-4d0d-b7b0-5556bf0451f5?source=cve.