CVE-2025-26978
Published: 15 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-26978 is an improper neutralization of special elements used in an SQL command, classified as an SQL injection vulnerability (CWE-89), affecting the FS Poster WordPress plugin developed by fs-code. This issue impacts all versions of FS Poster from n/a through 6.5.8. Published on 2025-03-15, it carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), reflecting high severity due to network accessibility, low attack complexity, and significant confidentiality impact.
Low-privileged authenticated users (PR:L) can exploit this vulnerability remotely over the network without requiring user interaction. Exploitation enables attackers to extract highly sensitive data from the database (C:H) and cause low-level availability disruption (A:L), with the attack propagating across a security scope change (S:C) to potentially affect other components.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/fs-poster/vulnerability/wordpress-fs-poster-plugin-6-5-8-sql-injection-vulnerability?_s_id=cve details this SQL injection vulnerability in the FS Poster plugin up to version 6.5.8.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The SQL injection vulnerability in a public-facing WordPress plugin directly enables remote exploitation of public-facing applications (T1190) and facilitates unauthorized collection of sensitive data from the database (T1213.006).