CVE-2025-30571

High

Published: 24 March 2025

Published

24 March 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

EPSS Score 0.0013 32.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2025-30571 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, affecting the STEdb Forms WordPress plugin developed by STEdb Corp. The issue resides in the stedb-forms component and impacts all versions from n/a through 1.0.4, where special elements are not properly neutralized in SQL commands.

The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L), indicating exploitation is possible over the network with low attack complexity by authenticated users possessing high privileges, without user interaction. Attackers can achieve high confidentiality impact, such as unauthorized access to sensitive data, alongside low availability impact, with the scope changed to affect additional resources.

Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/stedb-forms/vulnerability/wordpress-stedb-forms-1-0-4-sql-injection-vulnerability?_s_id=cve details the SQL Injection vulnerability specifically in the WordPress plugin stedb-forms version 1.0.4.

Details

CWE(s): CWE-89

MITRE ATT&CK Enterprise Techniques

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

The SQL Injection vulnerability directly enables unauthorized querying and access to sensitive data within the application's database.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Plugin/stedb-forms/vulnerability/wordpress-stedb-forms-1-0-4-sql-injection-vulnerability?_s_id=cve
audit@patchstack.com