CVE-2025-24669
Published: 24 January 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-24669 is an improper neutralization of special elements used in an SQL command, classified as an SQL Injection vulnerability (CWE-89), affecting the SERPed.net WordPress plugin, also referred to as serped-net. This issue impacts all versions of the plugin from unknown initial release through version 4.4 inclusive.
The vulnerability carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), indicating it is exploitable remotely over the network with low attack complexity and no user interaction required. Exploitation requires low privileges, such as those of a subscribed or contributor-level WordPress user. Successful attacks enable high-impact confidentiality violations, such as unauthorized data access, low-impact availability disruption, and privilege escalation across a changed scope affecting other system components.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/serped-net/vulnerability/wordpress-serped-net-plugin-4-4-sql-injection-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The SQL injection vulnerability in the public-facing WordPress plugin enables remote exploitation of the application (T1190) and directly supports privilege escalation with changed scope (T1068) as described in the CVSS impacts.