CVE-2025-26943
Published: 25 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26943 is an Improper Neutralization of Special Elements used in an SQL Command vulnerability, enabling Blind SQL Injection (CWE-89), in the Easy Quotes WordPress plugin by Jürgen Müller. The issue affects the easy-quotes plugin from unknown initial versions through version 1.2.2.
With a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L), the vulnerability is exploitable by unauthenticated remote attackers over the network with low attack complexity and no user interaction. Exploitation can result in high confidentiality impact, such as extracting sensitive data from the database via blind SQL injection techniques, alongside low availability impact and a change in scope.
Patchstack's advisory documents the SQL injection vulnerability in the WordPress Easy Quotes plugin version 1.2.2, available at https://patchstack.com/database/Wordpress/Plugin/easy-quotes/vulnerability/wordpress-easy-quotes-plugin-1-2-2-sql-injection-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in public-facing WordPress plugin directly enables remote exploitation of Internet-facing applications for initial access and data extraction.