CVE-2025-22536

High

Published: 07 January 2025

Published

07 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

EPSS Score 0.0005 15.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in hiren.sabd WP Music Player wp-music-player allows SQL Injection.This issue affects WP Music Player: from n/a through <= 1.3.

Security Summary

CVE-2025-22536 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, affecting the WP Music Player WordPress plugin developed by hiren.sabd. This issue impacts all versions of the plugin from n/a through 1.3 inclusive, as published on 2025-01-07.

The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L), indicating it can be exploited remotely over the network by an attacker with high privileges, such as an authenticated administrator, using low-complexity techniques without requiring user interaction. Successful exploitation allows the attacker to achieve high-impact confidentiality violations, such as extracting sensitive data from the database, alongside low availability disruption, with a changed scope that may affect additional resources.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-music-player/vulnerability/wordpress-wp-music-player-plugin-1-3-sql-injection-vulnerability?_s_id=cve provides details on this SQL Injection vulnerability in the WP Music Player plugin version 1.3.

Details

CWE(s): CWE-89

References

https://patchstack.com/database/Wordpress/Plugin/wp-music-player/vulnerability/wordpress-wp-music-player-plugin-1-3-sql-injection-vulnerability?_s_id=cve
audit@patchstack.com