Cyber Posture

CVE-2025-26946

High

Published: 25 February 2025

Published
25 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.0006 17.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2025-26946 is an Improper Neutralization of Special Elements used in an SQL Command vulnerability, classified as Blind SQL Injection (CWE-89), in the WP Yelp Review Slider WordPress plugin developed by jgwhite33. This flaw affects the plugin from unknown initial versions through version 8.1 inclusive.

The vulnerability can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), requiring high privileges (PR:H) such as those of an authenticated administrator, and no user interaction (UI:N). Attackers achieving exploitation gain changed scope (S:C), resulting in high confidentiality impact (C:H) for potential data exfiltration through blind SQL injection techniques, with no integrity impact (I:N) and low availability impact (A:L), yielding a CVSS v3.1 base score of 7.6.

Patchstack advisories document the SQL injection vulnerability in WP Yelp Review Slider plugin version 8.1, providing details via their vulnerability database entry.

Details

CWE(s)
CWE-89

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

SQL injection vulnerability in public-facing WordPress plugin directly enables exploitation of public-facing applications for data exfiltration from the database.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

References