Skip to main content

PGS Core CVE-2025-60118

HIGH
SQL Injection (CWE-89)
2025-09-26 audit@patchstack.com
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 24, 2026 - 01:24 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 19:14 vuln.today
CVE Published
Sep 26, 2025 - 09:15 nvd
HIGH 8.5

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Potenzaglobalsolutions PGS Core allows SQL Injection. This issue affects PGS Core: from n/a through 5.9.0.

AnalysisAI

SQL injection in PGS Core WordPress plugin through version 5.9.0 allows authenticated attackers with low privileges to extract sensitive database contents and potentially degrade system availability. The vulnerability features low attack complexity and crosses scope boundaries (CVSS S:C), enabling lateral movement beyond the plugin's intended access boundaries. EPSS exploitation probability is minimal (0.03%, 10th percentile) and no active exploitation or public exploit code has been identified, suggesting this remains a disclosure-phase vulnerability requiring authenticated access.

Technical ContextAI

This vulnerability affects PGS Core, a WordPress plugin developed by Potenzaglobalsolutions. The flaw is a classic CWE-89 SQL injection vulnerability where user-controlled input is improperly sanitized before being incorporated into SQL queries. WordPress plugins commonly interact with the WordPress database (typically MySQL/MariaDB) using the wpdb class, and failures to use prepared statements or proper escaping functions (like esc_sql or $wpdb->prepare) create injection points. The changed scope (S:C) in the CVSS vector indicates the vulnerable component's security boundary can be exceeded, meaning an attacker could potentially access database tables beyond those intended for the plugin, affecting the broader WordPress installation and other plugins sharing the same database.

Affected ProductsAI

PGS Core WordPress plugin versions from earliest release through version 5.9.0 are vulnerable, as reported by Patchstack. The vulnerability affects WordPress installations where this plugin is active. Specific version introduction point is not documented (marked 'n/a' in advisory), suggesting the flaw may exist in the plugin's original codebase. Vendor advisory and technical details are available at Patchstack's vulnerability database: https://patchstack.com/database/wordpress/plugin/pgs-core/vulnerability/wordpress-pgs-core-plugin-5-9-0-sql-injection-vulnerability

RemediationAI

Update PGS Core plugin to version 5.9.1 or later if available through the WordPress plugin repository or vendor channels. Check the official Patchstack advisory at https://patchstack.com/database/wordpress/plugin/pgs-core/vulnerability/wordpress-pgs-core-plugin-5-9-0-sql-injection-vulnerability for confirmed patched version. If no patch is immediately available, implement compensating controls: Restrict PGS Core plugin functionality to only administrator-level users through WordPress role management, reducing the pool of potential authenticated attackers (trade-off: limits legitimate subscriber/contributor access to plugin features). Deploy a WordPress Web Application Firewall (WAF) like Wordfence or Sucuri with SQL injection signature detection to block common SQL injection patterns targeting the plugin (trade-off: may generate false positives requiring tuning). Consider temporarily deactivating PGS Core plugin if its functionality is non-critical until vendor releases a confirmed patch (trade-off: loss of plugin features). Implement database activity monitoring to detect anomalous SQL query patterns originating from WordPress application user accounts.

Share

CVE-2025-60118 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy