Skip to main content

0 Day Analytics CVE-2025-64293

HIGH
SQL Injection (CWE-89)
2025-11-12 audit@patchstack.com
7.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 24, 2026 - 00:20 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 19:21 vuln.today
CVE Published
Nov 12, 2025 - 16:15 nvd
HIGH 7.6

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Golemiq 0 Day Analytics allows SQL Injection.This issue affects 0 Day Analytics: from n/a through 4.0.0.

AnalysisAI

SQL injection in the 0 Day Analytics WordPress plugin versions through 4.0.0 allows high-privilege authenticated attackers to execute arbitrary SQL queries with cross-scope impact. Reported by Patchstack audit team, this CWE-89 flaw enables database extraction despite requiring admin-level credentials. EPSS score of 0.05% (16th percentile) indicates low predicted exploitation probability, and no active exploitation or public POC has been identified.

Technical ContextAI

This vulnerability stems from improper neutralization of SQL special characters (CWE-89) within the 0 Day Analytics WordPress plugin. The affected component likely involves dynamic SQL query construction where user-controlled input from high-privilege administrators is concatenated into SQL statements without adequate parameterization or escaping. The CVSS scope change (S:C) indicates the vulnerability can affect resources beyond the plugin's security boundary, potentially impacting the underlying WordPress database or other plugins sharing the same database instance. As a WordPress plugin vulnerability, the attack surface exists within the WordPress administrative interface where privileged users interact with analytics functionality.

Affected ProductsAI

Golemiq 0 Day Analytics WordPress plugin versions from initial release through version 4.0.0 are confirmed vulnerable based on Patchstack advisory data. The vulnerability affects all installations running any version up to and including 4.0.0. Advisory details and vulnerability confirmation available at https://patchstack.com/database/wordpress/plugin/0-day-analytics/vulnerability/wordpress-0-day-analytics-plugin-4-0-0-sql-injection-vulnerability

RemediationAI

Primary mitigation requires upgrading to 0 Day Analytics version 4.0.1 or later if available, per Patchstack vulnerability database recommendations (verify current patched version at https://patchstack.com/database/wordpress/plugin/0-day-analytics/). If no patched version exists or immediate upgrade is not feasible, implement compensating controls: restrict WordPress admin role assignments to essential personnel only with documented business justification, enforce multi-factor authentication for all administrator accounts to reduce credential compromise risk, enable WordPress database query logging to detect SQL injection attempts in analytics plugin interactions, and consider temporarily disabling the 0 Day Analytics plugin if analytics functionality is not business-critical until a verified patch is released. Note that restricting admin access may impact legitimate analytics administration workflows and require process adjustments. Monitor Patchstack and the plugin's WordPress repository for official security updates.

Share

CVE-2025-64293 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy