CVE-2025-28873
Published: 26 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-28873 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that enables Blind SQL Injection in the Shuffle WordPress theme by Scott Taylor. This issue affects Shuffle versions from n/a through <= 0.5.
The vulnerability carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), indicating it can be exploited remotely by a low-privileged user with low attack complexity and no user interaction. Attackers can achieve high confidentiality impact through data extraction, low availability impact, and a changed scope, allowing unauthorized access to sensitive database information via blind SQL techniques.
Patchstack documents this SQL injection vulnerability specific to the WordPress Shuffle plugin version 0.5 in their database, providing details on the affected theme at https://patchstack.com/database/Wordpress/Theme/shuffle/vulnerability/wordpress-shuffle-plugin-0-5-sql-injection-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a remote SQL injection vulnerability in a public-facing WordPress theme, directly enabling exploitation of public-facing applications (T1190) for unauthorized database access and data extraction.