CVE-2025-30784
Published: 27 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-30784 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, affecting the WP Subscription Forms plugin (wp-subscription-forms) for WordPress developed by WP Shuffle. This issue impacts all versions of the plugin from n/a through 1.2.3, as published on 2025-03-27.
The vulnerability carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), indicating it can be exploited over the network by a low-privileged authenticated user with low attack complexity and no user interaction. Exploitation enables high confidentiality impact, such as unauthorized data extraction from the database, alongside low availability disruption, with a changed scope that may affect additional resources.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-subscription-forms/vulnerability/wordpress-wp-subscription-forms-1-2-3-sql-injection-vulnerability?_s_id=cve. Security practitioners should review this reference for patching guidance and update affected WordPress installations accordingly.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing WordPress plugin directly enables exploitation of the web application (T1190) and facilitates unauthorized database data extraction (T1213.006).