CVE-2025-23913
Published: 16 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-23913 is an Improper Neutralization of Special Elements used in an SQL Command vulnerability, classified as SQL Injection (CWE-89), affecting the WordPress plugin Google Map Professional (google-map-professional) developed by pankajpragma. This issue impacts all versions from n/a through 1.0 inclusive, as published on 2025-01-16.
The vulnerability has a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), indicating exploitation over the network with low attack complexity, requiring low privileges such as an authenticated subscriber-level user, and no user interaction. Attackers can achieve high confidentiality impact by extracting sensitive data from the database, alongside low availability impact and changed scope, but no integrity impact.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/google-map-professional/vulnerability/wordpress-google-map-professional-plugin-1-0-sql-injection-vulnerability?_s_id=cve documents the SQL injection vulnerability in Google Map Professional version 1.0, providing details for security practitioners to assess mitigation steps.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing WordPress plugin directly enables exploitation of the web application for initial access and database data extraction.