Skip to main content

WP Profitshare CVE-2025-30525

HIGH
SQL Injection (CWE-89)
2025-03-24 audit@patchstack.com
7.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:19 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:33 vuln.today
CVE Published
Mar 24, 2025 - 14:15 nvd
HIGH 7.6

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ProfitShare.ro WP Profitshare allows SQL Injection. This issue affects WP Profitshare: from n/a through 1.4.9.

AnalysisAI

SQL injection in WP Profitshare plugin for WordPress allows authenticated administrators to extract sensitive database contents or disrupt availability. Affects versions up to 1.4.9. The CVSS 7.6 score reflects high confidentiality impact with scope change, indicating potential database-wide access beyond the plugin's normal privileges. EPSS score of 0.21% (44th percentile) suggests low current exploitation probability, and no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

Technical ContextAI

WP Profitshare is a WordPress plugin for integrating the ProfitShare.ro affiliate marketing platform. The vulnerability is a classic SQL injection (CWE-89) where user-supplied input is incorporated into SQL queries without proper sanitization or parameterization. While the exact injection point is not specified in available data, the CVSS vector indicates network-accessible functionality requiring high-privilege (administrator) authentication. The scope change (S:C) in the CVSS vector suggests the SQL injection can access database resources beyond the plugin's normal security boundary, potentially affecting other WordPress tables or plugins sharing the same database. WordPress plugins commonly implement SQL injection vulnerabilities in custom query implementations that bypass WordPress's prepared statement functions like $wpdb->prepare().

Affected ProductsAI

WordPress WP Profitshare plugin versions from earliest release through 1.4.9 are affected, per Patchstack advisory. The vulnerability was reported by audit@patchstack.com and documented at https://patchstack.com/database/wordpress/plugin/wp-profitshare/vulnerability/wordpress-wp-profitshare-plugin-1-4-9-sql-injection-vulnerability. No CPE strings were provided in the available data, but the product is distributed through the WordPress plugin repository as 'wp-profitshare'.

RemediationAI

Upgrade WP Profitshare plugin to version 1.5.0 or later if available (check WordPress plugin repository or vendor site at ProfitShare.ro for the patched release). The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-profitshare/vulnerability/wordpress-wp-profitshare-plugin-1-4-9-sql-injection-vulnerability should contain specific patch version details. If no patched version exists, implement compensating controls: restrict WordPress administrator role to only trusted personnel, enable database query logging to detect injection attempts, implement Web Application Firewall (WAF) rules to inspect POST/GET parameters for SQL syntax (note: may cause false positives in legitimate admin operations), or temporarily disable the WP Profitshare plugin if affiliate tracking can be paused (trade-off: loss of commission tracking and reporting functionality). For hardened environments, consider database-level access controls that limit the WordPress database user to only necessary tables, though this may break legitimate plugin functionality.

Share

CVE-2025-30525 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy