CVE-2025-24665
Published: 27 January 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-24665 is an SQL Injection vulnerability (CWE-89) affecting the WordPress plugin Small Package Quotes – Unishippers Edition, developed by enituretechnology under the identifier small-package-quotes-unishippers-edition. The flaw stems from improper neutralization of special elements used in an SQL command, impacting all versions from n/a through 2.4.8. It carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L), indicating critical severity due to its network accessibility and potential for significant data exposure.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation enables high confidentiality impact, such as extracting sensitive database information, alongside low availability disruption and a changed scope that may amplify effects beyond the vulnerable component.
Mitigation guidance is available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/small-package-quotes-unishippers-edition/vulnerability/wordpress-small-package-quotes-plugin-2-4-8-sql-injection-vulnerability?_s_id=cve, which details the WordPress plugin vulnerability.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing WordPress plugin enables remote unauthenticated exploitation of the application (T1190) and direct extraction of sensitive data from the local database (T1005).