Mojoomla WPCHURCH CVE-2025-32303
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mojoomla WPCHURCH allows Blind SQL Injection.This issue affects WPCHURCH: from n/a through 2.7.0.
AnalysisAI
WPCHURCH WordPress plugin (through 2.7.0) has blind SQL injection with scope change, enabling unauthenticated extraction of the full WordPress database.
Technical ContextAI
User input is not parameterized in SQL queries (CWE-89). Scope change (S:C) indicates access beyond the plugin's own data to the entire WordPress database.
Affected ProductsAI
WPCHURCH by Mojoomla through 2.7.0
RemediationAI
Remove or update the WPCHURCH plugin. Use a WAF with SQL injection rules.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today