How to fix CVE-2025-2074?

Within 30 days: Identify affected systems running all and apply vendor patches as part of regular patch cycle. Validate input sanitization for user-controlled parameters.

Is PHP affected by CVE-2025-2074?

Organizations using all should be aware of moderate risk from CVE-2025-2074, a SQL injection vulnerability rated CVSS 5.3. Exploitation could allow attackers to execute code or inject malicious input. Organizations should apply vendor updates when available and monitor for exploitation.

CVE-2025-2074

MEDIUM

2025-03-28 [email protected]

Google WordPress SQLi PHP

5.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:33 vuln.today

CVE Published

Mar 28, 2025 - 08:15 nvd

MEDIUM 5.3

DescriptionNVD

The Advanced Google reCAPTCHA plugin for WordPress is vulnerable to generic SQL Injection via the ‘sSearch’ parameter in all versions up to, and including, 1.29 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries, particularly when the plugin’s settings page hasn’t been visited and its welcome message has not been dismissed. This issue can be used to extract sensitive information from the database.

AnalysisAI

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. The Advanced Google reCAPTCHA plugin for WordPress is vulnerable to generic SQL Injection via the ‘sSearch’ parameter in all versions up to, and including, 1.29 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries, particularly when the plugin’s settings page hasn’t been visited and its welcome message has not been dismissed. This issue can be used to extract sensitive information from the database.

Affected ProductsAI

See vendor advisory for affected versions.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

CVE-2025-2074 vulnerability details – vuln.today

Back

CVE-2025-2074

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code