Cyber Posture

CVE-2025-30525

High

Published: 24 March 2025

Published
24 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.0041 61.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-30525 is an improper neutralization of special elements used in an SQL command, classified as an SQL Injection vulnerability (CWE-89), affecting the WP Profitshare WordPress plugin from ProfitShare.ro. This issue impacts all versions of the wp-profitshare plugin up to and including 1.4.9, with no lower bound specified.

The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L), indicating it is exploitable remotely over the network with low attack complexity by authenticated users possessing high privileges and no user interaction required. Exploitation results in high confidentiality impact, allowing attackers to access sensitive data, alongside low availability impact and a changed scope.

The Patchstack advisory provides further details on this WordPress plugin vulnerability at https://patchstack.com/database/Wordpress/Plugin/wp-profitshare/vulnerability/wordpress-wp-profitshare-plugin-1-4-9-sql-injection-vulnerability?_s_id=cve.

Details

CWE(s)
CWE-89

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

SQL injection in public-facing WordPress plugin directly maps to exploitation of public-facing applications for initial access and data retrieval.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References