CVE-2025-2107

CVE-2025-2107 is a SQL injection vulnerability (CWE-89) in the ArielBrailovsky-ViralAd plugin for WordPress, affecting all versions up to and including 1.0.8. The issue arises in the printResultAndDie() function due to insufficient escaping of the user-supplied 'id' parameter and lack of proper preparation in the existing SQL query, enabling attackers to append additional SQL queries. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and was published on 2025-03-13.

Unauthenticated attackers with network access can exploit this vulnerability with low complexity to inject and execute appended SQL queries, resulting in the extraction of sensitive information from the database. This appears to be limited to very old versions of WordPress, reducing the attack surface for sites running modern installations.

Advisories from Wordfence and references to the plugin's source code in anuncio.php (line 105) and the WordPress plugin directory detail the vulnerability but do not specify patches beyond version 1.0.8. Security practitioners should consult these resources—https://www.wordfence.com/threat-intel/vulnerabilities/id/c6c846c8-df8a-4a95-834e-a9443b6a86b5?source=cve, https://plugins.trac.wordpress.org/browser/arielbrailovsky-viralad/trunk/inc/anuncio.php#L105, and https://wordpress.org/plugins/arielbrailovsky-viralad/—for recommended mitigations, such as plugin deactivation or removal on affected sites.