Skip to main content

All In Menu CVE-2025-27281

HIGH
SQL Injection (CWE-89)
2025-03-15 audit@patchstack.com
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:22 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:31 vuln.today
CVE Published
Mar 15, 2025 - 22:15 nvd
HIGH 8.5

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in cookforweb All In Menu allows Blind SQL Injection. This issue affects All In Menu: from n/a through 1.1.5.

AnalysisAI

Blind SQL injection in All In Menu WordPress plugin versions up to 1.1.5 allows authenticated attackers with low-level privileges to extract sensitive database information and potentially cause limited denial of service. The vulnerability's scope change (S:C) indicates potential cross-boundary impact, enabling attackers to access data beyond the plugin's normal authorization scope. No public exploit identified at time of analysis, with low EPSS score (0.12%, 31st percentile) indicating minimal observed exploitation activity in the wild.

Technical ContextAI

This is a blind SQL injection vulnerability (CWE-89) affecting the All In Menu WordPress plugin developed by cookforweb. The flaw stems from improper neutralization of special SQL characters in user-supplied input, allowing attackers to inject malicious SQL commands that execute within the application's database context. Blind SQL injection differs from traditional SQLi in that attackers cannot directly view query results, instead relying on boolean-based or time-based inference techniques to extract data character-by-character. The WordPress plugin ecosystem is particularly susceptible to SQL injection when developers use direct database queries without properly sanitizing input or leveraging WordPress's prepared statement APIs like $wpdb->prepare(). The vulnerability was reported by Patchstack's audit team, a commercial vulnerability database specializing in WordPress ecosystem security.

Affected ProductsAI

The vulnerability affects All In Menu WordPress plugin by cookforweb, versions from earliest release through 1.1.5 inclusive. The exact starting version is not documented (listed as 'n/a'), indicating the vulnerability may have existed since the plugin's initial release. Organizations can verify their installation by checking wp-content/plugins/all-in-menu/readme.txt for version information. Patchstack advisory available at https://patchstack.com/database/wordpress/plugin/all-in-menu/vulnerability/wordpress-all-in-menu-plugin-1-1-5-sql-injection-vulnerability.

RemediationAI

Primary remediation is to update All In Menu plugin to a version newer than 1.1.5 if available through the WordPress plugin repository or vendor. Check the WordPress admin dashboard under Plugins for available updates, or visit the official plugin page. No specific patched version number is confirmed in available data at time of analysis. If no patch is available or immediate update is not feasible, implement compensating controls: (1) Restrict authenticated user access by disabling open registration (Settings > General > Membership: 'Anyone can register' unchecked) and auditing existing low-privilege accounts, noting this prevents new user signups but may conflict with membership site functionality. (2) Deploy a Web Application Firewall (WAF) with WordPress-specific SQL injection signatures to detect blind SQLi patterns in requests to the plugin's endpoints, though this adds latency and may generate false positives requiring tuning. (3) Enable WordPress database query logging and monitor for unusual SELECT queries with time delays or boolean conditions originating from authenticated sessions, though this increases storage requirements and performance overhead. (4) If the plugin is not actively required for site functionality, deactivate and remove it entirely, the most effective mitigation with no side effects beyond loss of plugin features. Consult Patchstack advisory at https://patchstack.com/database/wordpress/plugin/all-in-menu/ for latest remediation guidance.

Share

CVE-2025-27281 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy