Cyber Posture

CVE-2025-30569

High

Published: 24 March 2025

Published
24 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.0005 16.6th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2025-30569 is an SQL injection vulnerability stemming from improper neutralization of special elements used in an SQL command (CWE-89) in the WP Featured Entries WordPress plugin, also referred to as Jahertor WP Featured Entries wp-featured-entries. This issue affects all versions of the plugin from n/a through 1.0 inclusive. Published on 2025-03-24T14:15:28.780, it carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).

Low-privileged authenticated users can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation changes the scope and results in high confidentiality impact, enabling data extraction from the database, alongside low availability impact and no integrity impact.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-featured-entries/vulnerability/wordpress-wp-featured-entries-1-0-sql-injection-vulnerability?_s_id=cve.

Details

CWE(s)
CWE-89

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

SQL injection vulnerability in public-facing WordPress plugin directly enables exploitation of web application for initial access and database data extraction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References