CVE-2025-28972

| EUVD-2025-18521 HIGH
2025-06-17 [email protected]
7.6
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 22:15 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 22:15 euvd
EUVD-2025-18521
CVE Published
Jun 17, 2025 - 15:15 nvd
HIGH 7.6

Tags

SQLi WordPress PHP Tenda

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Suhas Surse WP Employee Attendance System allows Blind SQL Injection. This issue affects WP Employee Attendance System: from n/a through 3.5.

Analysis

Blind SQL Injection vulnerability in Suhas Surse WP Employee Attendance System affecting versions through 3.5, allowing authenticated attackers with high privileges to extract sensitive database information. While the CVSS score of 7.6 indicates moderate-to-high severity, the attack requires administrator-level credentials and the confidentiality impact is high; however, integrity and availability impacts are limited. No current KEV designation or widespread public POC availability has been reported, though the vulnerability's nature as SQL injection makes exploitation theoretically straightforward for skilled attackers.

Technical Context

This vulnerability exists in the WP Employee Attendance System WordPress plugin, a staffing/HR management tool. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), indicating the application fails to properly sanitize or parameterize user-supplied input before incorporating it into SQL queries. Blind SQL Injection differs from standard SQL injection in that error messages are suppressed; attackers must infer database structure and contents through time-based delays, boolean-based responses, or out-of-band channels. The affected product is a WordPress plugin (CPE likely: cpe:2.3:a:suhas_surse:wp_employee_attendance_system:*:*:*:*:*:wordpress:*:*), which operates in the context of a WordPress database backend (typically MySQL/MariaDB). The vulnerability likely resides in database query construction within attendance-related functionality, attendance reports, or employee data retrieval endpoints.

Affected Products

WP Employee Attendance System (3.5 and earlier)

Remediation

Immediate action: (1) Update WP Employee Attendance System to version 3.6 or later if available from the plugin repository; (2) If no patch is currently released, temporarily restrict administrator account access to trusted users only and audit admin account activity logs for suspicious database queries; (3) Implement WordPress security hardening—use security plugins (Wordfence, Sucuri) to monitor for SQL injection patterns in logs; (4) Code-level fix: the plugin developer must implement parameterized queries (prepared statements with placeholders) for all database operations, replacing direct query construction with parameterized methods (e.g., WordPress $wpdb->prepare() function). Recommendation: Check WordPress.org plugin repository and Suhas Surse's official channels for security advisories and patch release dates. Validate patches cryptographically before deployment in production.

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +38
POC: 0

Share

CVE-2025-28972 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy