CVE-2025-22350

High

Published: 07 January 2025

Published

07 January 2025

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

EPSS Score 0.0007 20.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WpIndeed Ultimate Learning Pro allows SQL Injection.This issue affects Ultimate Learning Pro: from n/a through 3.9.

Security Summary

CVE-2025-22350 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, affecting the WordPress plugin Ultimate Learning Pro by WpIndeed. The issue impacts all versions from n/a through 3.9 and was published on 2025-01-07T17:15:33.093. It carries a CVSS v3.1 base score of 7.6, reflecting network accessibility, low attack complexity, high privileges required, no user interaction, changed scope, high confidentiality impact, no integrity impact, and low availability impact.

High-privileged remote users (PR:H) can exploit this SQL injection vulnerability over the network (AV:N) with low complexity (AC:L) and without requiring user interaction (UI:N). Exploitation enables attackers to achieve high confidentiality impact (C:H), such as extracting sensitive data from the database, alongside low availability disruption (A:L), due to the changed scope (S:C).

Mitigation details are provided in the advisory from Patchstack at https://patchstack.com/database/wordpress/plugin/indeed-learning-pro/vulnerability/wordpress-indeed-ultimate-learning-pro-plugin-3-9-sql-injection-vulnerability?_s_id=cve.

Details

CWE(s): CWE-89

References

https://patchstack.com/database/wordpress/plugin/indeed-learning-pro/vulnerability/wordpress-indeed-ultimate-learning-pro-plugin-3-9-sql-injection-vulnerability?_s_id=cve
audit@patchstack.com