Skip to main content

Social Links WordPress Plugin CVE-2025-25112

HIGH
SQL Injection (CWE-89)
2025-03-03 audit@patchstack.com
7.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:26 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.6

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Social Links allows Blind SQL Injection. This issue affects Social Links: from n/a through 1.2.

AnalysisAI

Blind SQL injection in the NotFound Social Links WordPress plugin (versions ≤1.2) allows authenticated administrators with high privileges to extract sensitive database contents remotely. The CVSS scope change indicates potential compromise beyond the vulnerable plugin's database context. EPSS score of 0.12% suggests low automated exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis. However, the privileged access requirement significantly limits real-world risk to scenarios involving compromised admin accounts or malicious insiders.

Technical ContextAI

This vulnerability stems from CWE-89 (SQL Injection), specifically a blind variant where attackers infer data by observing application behavior rather than direct error messages. The Social Links WordPress plugin fails to properly sanitize user-controlled input before incorporating it into SQL queries. Blind SQL injection typically exploits boolean-based or time-based inference techniques to extract data character-by-character. The CVSS scope change (S:C) indicates the vulnerability can affect resources beyond the plugin's authorization boundary, potentially accessing WordPress core database tables or other plugin data stores within the same MySQL instance.

Affected ProductsAI

NotFound Social Links WordPress plugin versions from the initial release through version 1.2 are confirmed vulnerable based on NVD CPE data. The vulnerability affects WordPress installations with this plugin installed and activated. No vendor advisory URL from NotFound or WordPress.org plugin repository is included in the provided references, making it impossible to independently verify the affected version range or confirm whether subsequent releases exist. Organizations should verify current plugin status directly from the WordPress.org plugin repository or NotFound's official channels.

RemediationAI

Primary remediation requires upgrading Social Links plugin to a version newer than 1.2 if available, though no specific patched version is confirmed in the provided data sources. Organizations should check the WordPress.org plugin repository at https://wordpress.org/plugins/social-links/ for updates released after version 1.2. If no patch exists or immediate upgrade is not feasible, implement these compensating controls: disable the Social Links plugin entirely until patched (impacts social media icon functionality on site), restrict WordPress administrator account access to only essential personnel using principle of least privilege, enforce multi-factor authentication on all administrator accounts to prevent credential compromise, enable WordPress database activity monitoring to detect blind SQL injection attempts via anomalous query patterns, and implement Web Application Firewall rules to block SQL injection payloads in requests to plugin endpoints. Note that WAF rules may generate false positives requiring tuning. The Patchstack references appear mismatched to XSS rather than SQLi, so verify actual vulnerability details with plugin maintainer before applying mitigations.

Share

CVE-2025-25112 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy