CVE-2025-2106

CVE-2025-2106 is a SQL injection vulnerability in the ArielBrailovsky-ViralAd plugin for WordPress, affecting all versions up to and including 1.0.8. The flaw exists in the limpia() function due to insufficient escaping of the user-supplied 'text' and 'id' parameters and lack of proper preparation in the existing SQL query, allowing injection of additional SQL queries. This issue is classified under CWE-89 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is only exploitable on very old versions of WordPress.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity by sending crafted requests containing malicious SQL payloads via the vulnerable parameters. Successful exploitation enables appending arbitrary SQL queries to existing ones, potentially allowing extraction of sensitive information from the database, such as user credentials or other confidential data.

Advisories from Wordfence detail the vulnerability in their threat intelligence report, highlighting the specific code location in inc/anuncio.php at line 174. The WordPress plugin directory page for ArielBrailovsky-ViralAd provides access to the plugin for review, and mitigation involves updating to a patched version if available or removing the plugin, alongside ensuring WordPress is not running a very old version susceptible to exploitation.