CVE-2025-26898
Published: 27 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26898 is an improper neutralization of special elements used in an SQL command, classified as an SQL injection vulnerability (CWE-89), affecting the Traveler theme developed by shinetheme for WordPress. This issue impacts all versions of the Traveler theme from n/a through those prior to 3.2.1.
The vulnerability carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L), indicating that unauthenticated attackers can exploit it remotely over the network with low attack complexity and no user interaction required. Exploitation enables high confidentiality impact, such as unauthorized access to sensitive data, alongside low availability impact, with the scope changing to affect additional resources.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-1-8-sql-injection-vulnerability?_s_id=cve provides details on the vulnerability in the Traveler theme, with mitigation achieved by updating to version 3.2.1 or later.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing WordPress theme directly enables T1190 Exploit Public-Facing Application for remote unauthenticated data access.