CVE-2025-23912
Published: 16 January 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-23912 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that enables Blind SQL Injection in the WordPress Custom Sidebar plugin (wordpress-custom-sidebar) developed by Philipp Speck. The flaw affects all versions of the plugin from unknown initial release through version 2.3 inclusive.
With a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), the vulnerability is exploitable over the network with low attack complexity by low-privileged authenticated users, requiring no user interaction. Attackers can achieve high confidentiality impact by extracting sensitive data from the database via blind SQL injection techniques, with changed scope, no integrity impact, and low availability impact.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wordpress-custom-sidebar/vulnerability/wordpress-wordpress-custom-sidebar-plugin-2-3-sql-injection-vulnerability?_s_id=cve details the SQL injection vulnerability in WordPress Custom Sidebar plugin version 2.3 and earlier.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The SQL injection vulnerability in a public-facing WordPress plugin directly enables exploitation of the web application (T1190) and facilitates extraction of sensitive data from the backend database via blind SQL injection (T1213.006).