Skip to main content

WP Featured Entries CVE-2025-30569

HIGH
SQL Injection (CWE-89)
2025-03-24 audit@patchstack.com
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:12 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:33 vuln.today
CVE Published
Mar 24, 2025 - 14:15 nvd
HIGH 8.5

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jahertor WP Featured Entries allows SQL Injection. This issue affects WP Featured Entries: from n/a through 1.0.

AnalysisAI

SQL injection in WP Featured Entries WordPress plugin versions up to 1.0 enables authenticated attackers with low-level privileges to extract sensitive database contents and potentially cause database denial of service through scope change. Reported by Patchstack audit team, this vulnerability has low exploitation probability (EPSS 0.09%, 25th percentile) and no confirmed active exploitation or public POC. The scope-changing nature (S:C) allows attackers to impact resources beyond the vulnerable component, escalating the attack's reach despite requiring initial authentication.

Technical ContextAI

This vulnerability stems from CWE-89 (SQL Injection) in the WP Featured Entries WordPress plugin. SQL injection occurs when user-supplied input is incorporated into SQL queries without proper sanitization or parameterization, allowing attackers to manipulate database commands. The plugin version 1.0 and earlier fail to properly neutralize special SQL characters in user input. The WordPress ecosystem commonly suffers from SQL injection in custom plugins due to developers directly concatenating user input into database queries rather than using WordPress's prepared statement APIs like $wpdb->prepare(). The CVSS vector indicates network-based exploitation with low attack complexity, requiring only low-privilege authentication but no user interaction, making it relatively straightforward to exploit once access is obtained.

Affected ProductsAI

Jahertor WP Featured Entries WordPress plugin versions from inception through version 1.0 are confirmed vulnerable per Patchstack vulnerability database entry. The plugin operates within the WordPress content management system ecosystem. No specific CPE data provided, but affects WordPress installations with this plugin active. Patchstack advisory available at https://patchstack.com/database/wordpress/plugin/wp-featured-entries/vulnerability/wordpress-wp-featured-entries-1-0-sql-injection-vulnerability.

RemediationAI

Immediately remove or disable WP Featured Entries plugin version 1.0 and earlier until a patched version becomes available. No vendor-released patched version is confirmed at time of analysis based on available data sources. Check Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-featured-entries/vulnerability/wordpress-wp-featured-entries-1-0-sql-injection-vulnerability for updated patch status. As compensating controls, restrict WordPress user role assignments to trusted administrators only, audit existing contributor and author accounts for necessity, and implement database activity monitoring to detect unusual SQL query patterns. Consider replacing WP Featured Entries with alternative featured content plugins that have active maintenance and security audit history. Review WordPress database logs for suspicious queries containing SQL injection patterns (UNION, SELECT, OR 1=1 constructs) originating from low-privilege user sessions. Note that restricting user roles may impact legitimate content workflow if contributors require access.

Share

CVE-2025-30569 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy