CVE-2025-32303
CRITICAL
2026-01-07
[email protected]
9.3
CVSS 3.1
Share
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low
Lifecycle Timeline
2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 07, 2026 - 13:15 nvd
CRITICAL 9.3
Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mojoomla WPCHURCH allows Blind SQL Injection.This issue affects WPCHURCH: from n/a through 2.7.0.
Analysis
WPCHURCH WordPress plugin (through 2.7.0) has blind SQL injection with scope change, enabling unauthenticated extraction of the full WordPress database.
Technical Context
User input is not parameterized in SQL queries (CWE-89). Scope change (S:C) indicates access beyond the plugin's own data to the entire WordPress database.
Affected Products
WPCHURCH by Mojoomla through 2.7.0
Remediation
Remove or update the WPCHURCH plugin. Use a WAF with SQL injection rules.
Priority Score
47
Low
Medium
High
Critical
KEV: 0
EPSS: +0.0
CVSS: +46
POC: 0
Share
External POC / Exploit Code
Leaving vuln.today
Destination URL
POC code from unknown sources may be malicious, contain backdoors, or be fake.
Always review and test exploit code in a safe, isolated environment (VM/sandbox).
Verify the source reputation and cross-reference with known databases (Exploit-DB, GitHub Security).