CVE-2025-27263
Published: 03 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-27263 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, affecting the Doctor Appointment Booking WordPress plugin developed by Creativeitem. The issue impacts all versions of the plugin from n/a through 1.0.0. Published on 2025-03-03T14:15:57.980, it carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).
Low-privileged users (PR:L), such as authenticated WordPress users, can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). Exploitation leads to high confidentiality impact (C:H), allowing unauthorized access to sensitive data, alongside low availability impact (A:L) and no integrity impact (I:N), with a changed scope (S:C) that enables effects on higher-privilege components.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/doctor-appointment-booking/vulnerability/wordpress-doctor-appointment-booking-plugin-1-0-0-sql-injection-vulnerability?_s_id=cve documents the SQL injection vulnerability in the Doctor Appointment Booking plugin version 1.0.0.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing WordPress plugin directly enables T1190 (exploiting the web application for access) and T1213.006 (arbitrary queries to extract sensitive data from the database).