CVE-2025-22783
Published: 27 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-22783 is an improper neutralization of special elements used in an SQL command, classified as an SQL Injection vulnerability (CWE-89), in the SEO Squirrly SEO WordPress plugin (squirrly-seo) developed by Squirrly SEO. The issue affects the plugin from unknown initial versions through version 12.4.03.
Attackers with low privileges, such as authenticated users, can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. The CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L) indicates high confidentiality impact across a changed scope, with low availability impact and no integrity impact, enabling potential extraction of sensitive database information.
Mitigation guidance is available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/squirrly-seo/vulnerability/wordpress-seo-plugin-by-squirrly-seo-plugin-12-4-03-sql-injection-vulnerability?_s_id=cve.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing WordPress plugin enables remote exploitation of the web application (T1190) by authenticated users and direct extraction of sensitive data from the backend database (T1213.006).