Skip to main content

CVE-2025-49055

CRITICAL
SQL Injection (CWE-89)
2026-01-22 audit@patchstack.com
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:43 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 22, 2026 - 17:15 nvd
CRITICAL 9.8

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages wp-lead-capture allows Blind SQL Injection.This issue affects WP Lead Capturing Pages: from n/a through <= 2.5.

AnalysisAI

WP Learn SQL Injection allows unauthenticated attackers to execute arbitrary SQL queries against the WordPress database, exposing all stored data.

Technical ContextAI

The WP Learn plugin by kamleshyadav has a CWE-89 SQL injection vulnerability that allows unauthenticated attackers to inject arbitrary SQL commands through unsanitized input parameters.

Affected ProductsAI

WP Learn WordPress plugin by kamleshyadav

RemediationAI

Remove or update the plugin. Use WordPress security plugins with SQLi protection.

Share

CVE-2025-49055 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy