CVE-2025-27268
Published: 03 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-27268 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, affecting the WordPress plugin Small Package Quotes – Worldwide Express Edition (small-package-quotes-wwe-edition) developed by enituretechnology. The issue impacts all versions from n/a through 5.2.18, as published on 2025-03-03.
The vulnerability carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L), making it exploitable by unauthenticated remote attackers with low attack complexity and no user interaction required. Exploitation enables attackers to achieve high-impact confidentiality violations, such as extracting sensitive data from the database, alongside limited availability impacts, due to the changed scope.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/small-package-quotes-wwe-edition/vulnerability/wordpress-small-package-quotes-worldwide-express-edition-plugin-5-2-18-sql-injection-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in unauthenticated public-facing WordPress plugin directly enables T1190 (Exploit Public-Facing Application) for remote access and facilitates T1213.006 (Databases) for extracting sensitive data from the database.