CVE-2025-22553

Critical

Published: 21 January 2025

Published

21 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

EPSS Score 0.0007 21.3th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in dhananjaysingh Multiple Carousel multicarousel allows SQL Injection.This issue affects Multiple Carousel: from n/a through <= 2.0.

Security Summary

CVE-2025-22553 is an improper neutralization of special elements used in an SQL command, classified as an SQL Injection vulnerability (CWE-89), affecting the Multiple Carousel WordPress plugin developed by dhananjaysingh. This issue impacts versions of the plugin from an unspecified initial release through 2.0.

The vulnerability has a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L), indicating it is exploitable remotely over the network by unauthenticated attackers with low attack complexity and no user interaction required. Exploitation changes the scope, enabling high-impact confidentiality violations such as unauthorized access to sensitive data via SQL queries, alongside low availability impact but no integrity impact.

Patchstack has published an advisory detailing the vulnerability in the Multiple Carousel plugin version 2.0, available at https://patchstack.com/database/Wordpress/Plugin/multicarousel/vulnerability/wordpress-multiple-carousel-plugin-2-0-sql-injection-vulnerability?_s_id=cve.

Details

CWE(s): CWE-89

References

https://patchstack.com/database/Wordpress/Plugin/multicarousel/vulnerability/wordpress-multiple-carousel-plugin-2-0-sql-injection-vulnerability?_s_id=cve
audit@patchstack.com