CVE-2025-22527

High

Published: 09 January 2025

Published

09 January 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

EPSS Score 0.0018 39.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yamna Khawaja Mailing Group Listserv wp-mailing-group allows SQL Injection.This issue affects Mailing Group Listserv: from n/a through <= 2.0.9.

Security Summary

CVE-2025-22527 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89. It affects the WordPress plugin Mailing Group Listserv (wp-mailing-group) developed by Yamna Khawaja, impacting all versions from n/a through 2.0.9. The vulnerability was published on 2025-01-09.

The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L). High-privileged users (PR:H), such as administrators, can exploit it remotely over the network with low attack complexity and no user interaction. Successful exploitation enables high-impact confidentiality violations, such as extracting sensitive data from the database, alongside low availability impact and changed scope, but no integrity impact.

Advisories, including the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/wp-mailing-group/vulnerability/wordpress-mailing-group-listserv-plugin-2-0-9-sql-injection-vulnerability?_s_id=cve, detail the SQL injection issue in version 2.0.9 and associated mitigation guidance.

Details

CWE(s): CWE-89

References

https://patchstack.com/database/Wordpress/Plugin/wp-mailing-group/vulnerability/wordpress-mailing-group-listserv-plugin-2-0-9-sql-injection-vulnerability?_s_id=cve
audit@patchstack.com