Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ThimPress WP Pipes wp-pipes allows SQL Injection.This issue affects WP Pipes: from n/a through <= 1.4.3.
AnalysisAI
SQL injection in WP Pipes WordPress plugin versions through 1.4.3 enables unauthenticated remote attackers to extract sensitive database contents and potentially disrupt service availability. The vulnerability carries CVSS 9.3 (Critical) due to network-accessible attack vector with no authentication or user interaction required, though real-world risk is moderated by low EPSS score (0.06%, 19th percentile) indicating minimal observed exploitation activity. Exploitation requires no special conditions beyond accessing the vulnerable WordPress installation, and Patchstack has published detailed vulnerability intelligence.
Technical ContextAI
This is a classic SQL injection vulnerability (CWE-89) affecting the WP Pipes plugin for WordPress, developed by ThimPress. SQL injection occurs when user-supplied input is improperly sanitized before being incorporated into SQL database queries, allowing attackers to inject malicious SQL commands. The CPE identifier (cpe:2.3:a:thimpress:wp_pipes:*:*:*:*:*:wordpress:*:*) confirms this affects the WordPress plugin ecosystem. WP Pipes appears to be a data integration or automation plugin that likely processes external data sources, creating SQL queries dynamically. The lack of proper input validation through parameterized queries or prepared statements allows attackers to manipulate database operations. The 'Changed' scope in the CVSS vector (S:C) indicates the vulnerability can affect resources beyond the plugin itself, potentially compromising the entire WordPress database and associated applications.
RemediationAI
Immediately upgrade WP Pipes to version 1.4.4 or later if available from the WordPress plugin repository or ThimPress official channels. Verify the installed version through WordPress admin dashboard under Plugins section and confirm update completion. Consult Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-pipes/vulnerability/wordpress-wp-pipes-1-4-3-sql-injection-vulnerability for vendor-specific remediation guidance and version confirmation. If patched version is not yet available or upgrade is delayed, implement compensating controls: disable the WP Pipes plugin entirely until patching is complete (safest option with no functionality trade-off if plugin is unused), restrict WordPress admin access to trusted IP addresses via .htaccess or firewall rules (reduces attack surface but does not prevent exploitation if vulnerability exists in public-facing endpoints), deploy web application firewall rules to detect and block SQL injection patterns in requests to wp-admin and wp-content/plugins/wp-pipes paths (may cause false positives requiring tuning, does not guarantee complete protection against obfuscated payloads). After patching, review WordPress database logs and access logs from the remediation period for indicators of exploitation including unusual database queries, unexpected admin account creation, or exfiltration of wp_users table contents.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today