CVE-2025-23774
Published: 22 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-23774 is an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) in the WPDB to Sql WordPress plugin developed by Niket Joshi. This issue affects all versions of the wpdb-to-sql plugin up to and including 1.2, enabling attackers to retrieve embedded sensitive data that is inadvertently included in transmitted data.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), meaning it can be exploited over the network by unauthenticated attackers requiring low complexity and no user interaction. Successful exploitation allows remote attackers to obtain high-impact confidential information, such as sensitive data embedded in responses, without impacting integrity or availability.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wpdb-to-sql/vulnerability/wordpress-wpdb-to-sql-plugin-1-2-sensitive-data-exposure-vulnerability?_s_id=cve) documents this sensitive data exposure vulnerability in the WPDB to Sql plugin version 1.2. Security practitioners should consult the advisory for specific mitigation recommendations, such as applying available patches or updates.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in public-facing WordPress plugin enables remote unauthenticated exploitation for sensitive data exposure.