Cyber Posture

CVE-2025-24659

High

Published: 24 January 2025

Published
24 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.0216 84.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2025-24659 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that enables Blind SQL Injection in the Shahjada WPDM – Premium Packages plugin (wpdm-premium-packages) for WordPress. The flaw affects all versions from n/a through 5.9.6 and is classified under CWE-89.

Attackers with high privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation changes scope and results in high confidentiality impact (allowing data extraction), low availability impact, and no integrity impact, consistent with the CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L).

The Patchstack advisory provides further details on this vulnerability, including vulnerability assessment for the WordPress Premium Packages plugin up to version 5.9.6, accessible at https://patchstack.com/database/Wordpress/Plugin/wpdm-premium-packages/vulnerability/wordpress-premium-packages-sell-digital-products-securely-plugin-5-9-6-sql-injection-vulnerability?_s_id=cve.

Details

CWE(s)
CWE-89

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

SQL injection vulnerability in public-facing WordPress plugin directly enables T1190 for application exploitation and facilitates T1213.006 for database data extraction via blind queries.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References