Skip to main content

AnalyticsWP CVE-2025-39389

CRITICAL
SQL Injection (CWE-89)
2025-05-19 audit@patchstack.com
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 28, 2026 - 20:11 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:42 vuln.today
CVE Published
May 19, 2025 - 20:15 nvd
CRITICAL 9.3

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Solid Plugins AnalyticsWP allows SQL Injection.This issue affects AnalyticsWP: from n/a through 2.1.2.

AnalysisAI

Unauthenticated SQL injection in AnalyticsWP WordPress plugin versions up to 2.1.2 allows remote attackers to extract sensitive database contents via crafted SQL queries. The CVSS 9.3 score reflects network-accessible exploitation with no authentication required and changed scope, enabling high confidentiality impact and low availability impact. EPSS probability is relatively low at 0.23% (46th percentile), suggesting limited active exploitation despite the critical severity rating. Patchstack vulnerability database confirms the flaw, indicating third-party security research disclosure.

Technical ContextAI

This vulnerability affects the AnalyticsWP WordPress plugin, a statistics and analytics solution for WordPress websites. The root cause is CWE-89 (SQL Injection), occurring when the plugin fails to properly sanitize user-supplied input before incorporating it into SQL queries. WordPress plugins frequently interact with the WordPress database (typically MySQL/MariaDB) to store and retrieve analytics data, page views, visitor statistics, and custom tracking information. When input validation is absent or insufficient, attackers can inject malicious SQL syntax through HTTP parameters, POST data, cookies, or headers. The changed scope (S:C) in the CVSS vector indicates the vulnerable component (the plugin) can affect resources beyond its security scope, potentially compromising the entire WordPress database including user credentials, post content, and other plugin data stored in shared database tables.

Affected ProductsAI

The vulnerability affects AnalyticsWP WordPress plugin versions from the earliest available release through version 2.1.2 inclusive, as confirmed by Patchstack vulnerability database. The vendor is Solid Plugins. The vulnerability database reference indicates all installations running version 2.1.2 or earlier are vulnerable. Specific CPE data is not provided in available sources, but the affected software runs as a WordPress plugin requiring WordPress 4.0 or later (typical minimum for modern plugins). Advisory and technical details are available at Patchstack database entry for AnalyticsWP.

RemediationAI

Immediately upgrade AnalyticsWP plugin to version 2.1.3 or later if available, verifying the fix version through the WordPress plugin repository or Solid Plugins official channels. The Patchstack database entry at https://patchstack.com/database/wordpress/plugin/analyticswp/ should be consulted for confirmed patched versions and vendor advisory links. If an updated version is not yet available or cannot be immediately deployed, implement the following compensating controls: deactivate and remove the AnalyticsWP plugin entirely until patched, replacing with alternative analytics solutions like Jetpack Stats or MonsterInsights; implement Web Application Firewall (WAF) rules specifically targeting SQL injection patterns in requests to AnalyticsWP endpoints, though signature-based detection may be bypassed by obfuscated payloads; restrict WordPress database user privileges to minimum necessary operations (SELECT, INSERT, UPDATE, DELETE on specific tables only, never GRANT or FILE privileges), limiting the impact of successful SQL injection to data exfiltration rather than server-level compromise. Note that WAF rules add latency and maintenance overhead, and restrictive database privileges may break some WordPress functionality requiring administrative queries.

Share

CVE-2025-39389 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy