CVE-2025-2319
Published: 25 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2319 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress in versions 4.11.13 through 5.25.08. The issue stems from missing or incorrect nonce validation in the 'ELISQLREPORTS_menu' function, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). It was published on 2025-03-25.
Unauthenticated attackers can exploit this vulnerability by tricking a site administrator into performing an action, such as clicking a malicious link, which triggers a forged request to execute arbitrary code on the server. Successful exploitation grants high-impact confidentiality, integrity, and availability effects, potentially allowing full server compromise.
Version 5.25.10 of the plugin resolves the vulnerability by adding a nonce check, limiting exploitation to authenticated administrators only. References to plugin source code in earlier vulnerable versions (e.g., 4.11.13, 4.11.15, 4.11.33, 4.11.37, 4.16.38) are available via WordPress plugin trac repositories for further analysis.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CSRF vulnerability in the public-facing WordPress plugin allows unauthenticated attackers to trick an administrator into clicking a malicious link that forges a request to execute arbitrary code, directly enabling initial access via exploitation of a public-facing application leading to full server compromise.