CVE-2025-52819

2025-07-16 [email protected]
SQLi

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 12:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pakkemx Pakke Envíos pakke allows SQL Injection.This issue affects Pakke Envíos: from n/a through <= 1.0.2.

AnalysisAI

SQL injection vulnerability in Pakke Envíos WordPress plugin versions up to 1.0.2 allows unauthenticated attackers to execute arbitrary SQL commands through improper input neutralization. The vulnerability affects a widely-distributed WordPress plugin with no CVSS score available; however, EPSS data indicates low exploitation probability at 0.05%, suggesting limited real-world attack interest or technical barriers. No public exploit code or active exploitation has been confirmed.

Technical ContextAI

The vulnerability exists in Pakke Envíos (pakkemx), a WordPress plugin for shipping management, and stems from CWE-89 (SQL Injection) - the improper sanitization and escaping of user-supplied input before it is incorporated into SQL queries. WordPress plugins are server-side PHP applications that interact directly with the WordPress MySQL database; SQL injection in this context typically occurs when query parameters, form inputs, or HTTP headers are concatenated into database queries without prepared statements or parameterized queries. The affected plugin versions through 1.0.2 fail to implement proper input validation and output encoding mechanisms that would prevent malicious SQL syntax from being interpreted as commands.

Affected ProductsAI

Pakke Envíos (pakkemx) WordPress plugin is affected in versions 1.0.2 and earlier. The vulnerability was reported by [email protected] and is documented in the Patchstack vulnerability database (https://patchstack.com/database/Wordpress/Plugin/pakke/vulnerability/wordpress-pakke-envios-1-0-2-sql-injection-vulnerability?_s_id=cve). No other related products or vendor-branded variants were identified in the provided intelligence.

RemediationAI

Users of Pakke Envíos should upgrade to a patched version beyond 1.0.2 as soon as available. The primary vendor advisory is available via Patchstack (https://patchstack.com/database/Wordpress/Plugin/pakke/vulnerability/wordpress-pakke-envios-1-0-2-sql-injection-vulnerability?_s_id=cve), which should be consulted for the exact fix version number and release date. Until a patch is available, website administrators should consider disabling the Pakke Envíos plugin if it is not essential to operations, or apply Web Application Firewall rules to block SQL injection patterns in HTTP requests targeting the plugin. Additionally, regular database backups and SQL query logging should be enabled to detect any compromise.

Share

CVE-2025-52819 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy