CVE-2025-30604
Published: 24 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-30604 is an Improper Neutralization of Special Elements used in an SQL Command vulnerability, classified as SQL Injection (CWE-89), specifically enabling Blind SQL Injection in the JiangQie Official Website Mini Program WordPress plugin (jiangqie-official-website-mini-program). This flaw affects all versions up to and including 1.8.2, with no lower bound specified. The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L), indicating network accessibility, low complexity, and a changed scope with high confidentiality impact.
Exploitation requires high privileges (PR:H), such as authenticated administrative access, allowing remote attackers to perform Blind SQL Injection over the network without user interaction. Successful attacks enable high confidentiality impact (C:H), potentially extracting sensitive data from the database through inference techniques typical of blind SQLi, alongside low availability impact (A:L).
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/jiangqie-official-website-mini-program/vulnerability/wordpress-jiangqie-official-website-mini-program-plugin-1-8-2-sql-injection-vulnerability?_s_id=cve provides details on the vulnerability in the WordPress plugin context, recommending updates or mitigations for affected installations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in public-facing WordPress plugin enables exploitation of the web application for data extraction from the database.