CVE-2025-22535

High

Published: 09 January 2025

Published

09 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

EPSS Score 0.0009 26.2th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in jonkern WPListCal wplistcal allows SQL Injection.This issue affects WPListCal: from n/a through <= 1.3.5.

Security Summary

CVE-2025-22535 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, affecting the WPListCal WordPress plugin developed by jonkern (wplistcal). This issue impacts all versions from n/a through 1.3.5, as published on 2025-01-09.

The vulnerability carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), indicating it can be exploited remotely over the network by low-privileged users (PR:L) with low attack complexity and no user interaction required. Attackers can achieve high-impact confidentiality loss, such as extracting sensitive data from the database, alongside limited availability impact, with the attack's scope changing to affect other system components.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wplistcal/vulnerability/wordpress-wplistcal-plugin-1-3-5-sql-injection-vulnerability?_s_id=cve documents this SQL injection vulnerability in the WPListCal plugin up to version 1.3.5, providing details for security practitioners on detection and remediation.

Details

CWE(s): CWE-89

References

https://patchstack.com/database/Wordpress/Plugin/wplistcal/vulnerability/wordpress-wplistcal-plugin-1-3-5-sql-injection-vulnerability?_s_id=cve
audit@patchstack.com