CVE-2025-1446
Published: 23 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-1446 is a SQL injection vulnerability (CWE-89) affecting the Pods WordPress plugin in versions before 3.2.8.2. The plugin fails to sanitize and escape a parameter before incorporating it into a SQL statement, enabling injection attacks. Published on 2025-03-23, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, no privileges or user interaction required, and high impacts across confidentiality, integrity, and availability.
Although the description specifies that the flaw allows admins to perform SQL injection attacks, the CVSS metrics suggest unauthenticated remote attackers can exploit it over the network. Successful exploitation could enable attackers to manipulate database queries, potentially extracting sensitive data, modifying records, or disrupting service.
Advisories from WPScan detail the issue and recommend updating to Pods version 3.2.8.2 or later to mitigate the vulnerability. Additional details are available at https://wpscan.com/vulnerability/c170fb45-7ed5-40ef-99f6-8da035a23d89/.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in a public-facing WordPress plugin directly enables remote exploitation of the application over the network without authentication.