CVE-2025-22700
Published: 04 February 2025
Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler Code traveler-code.This issue affects Traveler Code: from n/a through < 3.1.3.
Security Summary
CVE-2025-22700 is an improper neutralization of special elements used in an SQL command, classified as an SQL injection vulnerability (CWE-89), affecting the Traveler Code WordPress plugin developed by shinetheme. The issue impacts all versions of the plugin from n/a through those prior to 3.1.3.
Attackers with low privileges, such as subscribers, can exploit this vulnerability over the network with high attack complexity and no user interaction required. Successful exploitation enables arbitrary SQL execution, resulting in high impacts on confidentiality, integrity, and availability (CVSS v3.1 score of 8.5: AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H), with a changed scope that amplifies the potential damage beyond the plugin itself.
Mitigation involves updating the Traveler Code plugin to version 3.1.3 or later. Further details on the vulnerability, including exploitation specifics for subscribers, are provided in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/traveler-code/vulnerability/wordpress-traveler-code-plugin-3-1-0-subscriber-arbitrary-sql-execution-vulnerability?_s_id=cve.
Details
- CWE(s)