Social Links WordPress Plugin CVE-2025-25112
HIGHSeverity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Social Links allows Blind SQL Injection. This issue affects Social Links: from n/a through 1.2.
AnalysisAI
Blind SQL injection in the NotFound Social Links WordPress plugin (versions ≤1.2) allows authenticated administrators with high privileges to extract sensitive database contents remotely. The CVSS scope change indicates potential compromise beyond the vulnerable plugin's database context. EPSS score of 0.12% suggests low automated exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis. However, the privileged access requirement significantly limits real-world risk to scenarios involving compromised admin accounts or malicious insiders.
Technical ContextAI
This vulnerability stems from CWE-89 (SQL Injection), specifically a blind variant where attackers infer data by observing application behavior rather than direct error messages. The Social Links WordPress plugin fails to properly sanitize user-controlled input before incorporating it into SQL queries. Blind SQL injection typically exploits boolean-based or time-based inference techniques to extract data character-by-character. The CVSS scope change (S:C) indicates the vulnerability can affect resources beyond the plugin's authorization boundary, potentially accessing WordPress core database tables or other plugin data stores within the same MySQL instance.
Affected ProductsAI
NotFound Social Links WordPress plugin versions from the initial release through version 1.2 are confirmed vulnerable based on NVD CPE data. The vulnerability affects WordPress installations with this plugin installed and activated. No vendor advisory URL from NotFound or WordPress.org plugin repository is included in the provided references, making it impossible to independently verify the affected version range or confirm whether subsequent releases exist. Organizations should verify current plugin status directly from the WordPress.org plugin repository or NotFound's official channels.
RemediationAI
Primary remediation requires upgrading Social Links plugin to a version newer than 1.2 if available, though no specific patched version is confirmed in the provided data sources. Organizations should check the WordPress.org plugin repository at https://wordpress.org/plugins/social-links/ for updates released after version 1.2. If no patch exists or immediate upgrade is not feasible, implement these compensating controls: disable the Social Links plugin entirely until patched (impacts social media icon functionality on site), restrict WordPress administrator account access to only essential personnel using principle of least privilege, enforce multi-factor authentication on all administrator accounts to prevent credential compromise, enable WordPress database activity monitoring to detect blind SQL injection attempts via anomalous query patterns, and implement Web Application Firewall rules to block SQL injection payloads in requests to plugin endpoints. Note that WAF rules may generate false positives requiring tuning. The Patchstack references appear mismatched to XSS rather than SQLi, so verify actual vulnerability details with plugin maintainer before applying mitigations.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today