CVE-2025-22351

High

Published: 07 January 2025

Published

07 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

EPSS Score 0.0009 25.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in penguinarts Contact Form 7 Database – CFDB7 advanced-cf7-database allows SQL Injection.This issue affects Contact Form 7 Database – CFDB7: from n/a through <= 1.0.0.

Security Summary

CVE-2025-22351 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, affecting the penguinarts Contact Form 7 Database – CFDB7 WordPress plugin (advanced-cf7-database). This issue impacts versions from n/a through 1.0.0 inclusive. The vulnerability was published on 2025-01-07.

The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L). Attackers with network access and high privileges, such as authenticated WordPress users with elevated permissions, can exploit it with low complexity and no user interaction. Successful exploitation enables arbitrary SQL command injection, resulting in high confidentiality impact through unauthorized data access, a changed scope affecting additional components, and low availability impact.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/advanced-cf7-database/vulnerability/wordpress-contact-form-7-database-cfdb7-plugin-1-0-0-sql-injection-vulnerability?_s_id=cve.

Details

CWE(s): CWE-89

References

https://patchstack.com/database/Wordpress/Plugin/advanced-cf7-database/vulnerability/wordpress-contact-form-7-database-cfdb7-plugin-1-0-0-sql-injection-vulnerability?_s_id=cve
audit@patchstack.com