CVE-2025-14124

High

Published: 05 January 2026

Published

05 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS Score 0.1033 93.2th percentile

Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Description

The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation and sanitization of the unauthenticated AJAX parameter before its use in SQL statements, preventing SQL injection execution.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and timely remediation of the SQL injection flaw by patching The Team WordPress plugin to version 5.0.11 or later.

SC-7 Boundary Protection partial match

preventdetect

Implements boundary protection such as web application firewalls to monitor and block SQL injection attempts in publicly accessible unauthenticated AJAX endpoints.

Security SummaryAI

CVE-2025-14124 is a SQL injection vulnerability affecting The Team WordPress plugin in versions before 5.0.11. The plugin fails to properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action that is available to unauthenticated users, enabling arbitrary SQL query execution.

Unauthenticated attackers can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). Exploitation results in a changed scope (S:C) with high confidentiality impact (C:H) but no integrity (I:N) or availability (A:N) impact, as reflected in its CVSS v3.1 base score of 8.6. Attackers can achieve unauthorized extraction of sensitive data from the database.

The WPScan advisory (https://wpscan.com/vulnerability/fdd19027-b70e-45a4-882b-77ab1819af91/) details this issue, published on 2026-01-05. Mitigation requires updating The Team WordPress plugin to version 5.0.11 or later to properly sanitize the affected parameter.

Details

CWE(s): None listed

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing WordPress plugin enables unauthenticated remote exploitation of public-facing application (T1190) and arbitrary database queries for sensitive data extraction (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://wpscan.com/vulnerability/fdd19027-b70e-45a4-882b-77ab1819af91/
contact@wpscan.com