CVE-2025-22523
Published: 28 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-22523 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, that enables Blind SQL Injection in the Schedule plugin for WordPress. The vulnerability affects the scheduler Schedule component in versions from n/a through 1.0.0 inclusive. It was published on 2025-03-28 with a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.
Unauthenticated remote attackers can exploit this vulnerability over the network without user interaction. By injecting malicious SQL payloads into affected inputs, attackers can perform blind SQL injection to infer and extract sensitive data from the underlying database, achieving high confidentiality impact. The changed scope and low availability impact suggest potential disruption limited to the database layer.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/schedule/vulnerability/wordpress-schedule-plugin-1-0-0-sql-injection-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes an unauthenticated blind SQL injection vulnerability in a public-facing WordPress plugin, directly enabling remote exploitation of the web application to extract sensitive database data.