CVE-2025-24612
Published: 27 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-24612 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, affecting the WordPress plugin "Ihor Kit Shipping for Nova Poshta" (nova-poshta-ttn). This issue impacts all versions of the plugin up to and including 1.19.6. The vulnerability was published on 2025-01-27 and carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L).
The attack scenario involves unauthenticated attackers accessible over the network, requiring low attack complexity and no user interaction. Exploitation changes the scope and enables high-impact confidentiality loss, such as unauthorized data disclosure via SQL queries, alongside low availability impact but no integrity impact.
Patchstack provides details on the vulnerability in its advisory at https://patchstack.com/database/Wordpress/Plugin/nova-poshta-ttn/vulnerability/wordpress-shipping-for-nova-poshta-plugin-1-19-6-sql-injection-vulnerability?_s_id=cve, which security practitioners should consult for mitigation guidance.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The unauthenticated SQL injection vulnerability in a publicly accessible WordPress plugin directly enables remote exploitation of a public-facing application for data disclosure.