CVE-2025-30775

High

Published: 27 March 2025

Published

27 March 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

EPSS Score 0.0018 39.2th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-30775 is an improper neutralization of special elements used in an SQL command, classified as an SQL Injection vulnerability (CWE-89), affecting the WPGuppy Lite WordPress plugin developed by AmentoTech Private Limited. The issue impacts all versions of the plugin from its initial release through version 1.1.3.

According to its CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), the vulnerability can be exploited over the network with low attack complexity by low-privileged users, requiring no user interaction. Successful exploitation allows attackers to achieve high confidentiality impact, such as extracting sensitive data from the database, alongside low availability impact, within a changed scope.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wpguppy-lite/vulnerability/wordpress-wpguppy-plugin-1-1-3-sql-injection-vulnerability?_s_id=cve.

Details

CWE(s): CWE-89

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing WordPress plugin directly enables remote exploitation of the web application for data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Plugin/wpguppy-lite/vulnerability/wordpress-wpguppy-plugin-1-1-3-sql-injection-vulnerability?_s_id=cve
audit@patchstack.com