CVE-2025-26941
Published: 26 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-26941 is an Improper Neutralization of Special Elements used in an SQL Command vulnerability, classified as SQL Injection (CWE-89), in the Church Admin WordPress plugin developed by andy_moyle. This issue affects the church-admin plugin in all versions from n/a through 5.0.18 inclusive. The vulnerability was published on 2025-03-26 and carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation enables high confidentiality impact, potentially allowing extraction of sensitive data from the database, while achieving a changed scope, no integrity impact, and low availability impact.
The Patchstack advisory provides details on this WordPress Church Admin plugin 5.0.18 SQL Injection vulnerability, including recommended mitigations: https://patchstack.com/database/Wordpress/Plugin/church-admin/vulnerability/wordpress-church-admin-plugin-5-0-18-sql-injection-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing WordPress plugin enables remote exploitation of web applications (T1190) and direct unauthorized data extraction from the backend database (T1213.006).