CVE-2025-23784
Published: 22 January 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-23784 is an SQL injection vulnerability (CWE-89) stemming from improper neutralization of special elements used in an SQL command. It affects the WordPress plugin "Contact Form 7 Round Robin Lead Distribution" by David Jeffrey, with the flaw present in all versions up to and including 1.2.1.
The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L). Attackers with high privileges, such as authenticated administrators, can exploit it remotely over the network with low attack complexity and no user interaction required. Successful exploitation enables high-impact confidentiality violations, such as unauthorized data extraction from the database, alongside low availability disruption and a changed scope, but no integrity impact.
Mitigation details are available in advisories like the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/contact-form-7-round-robin-lead-distribution/vulnerability/wordpress-contact-form-7-round-robin-lead-distribution-plugin-1-2-1-sql-injection-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection enables direct unauthorized data extraction from the database by authenticated admins, mapping to Data from Information Repositories (Databases).