Skip to main content

WPBulky CVE-2025-68550

HIGH
SQL Injection (CWE-89)
2025-12-23 audit@patchstack.com
7.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

5
Analysis Updated
Apr 24, 2026 - 00:12 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:43 NVD
7.6 (HIGH)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 23, 2025 - 12:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VillaTheme WPBulky wpbulky-wp-bulk-edit-post-types allows Blind SQL Injection.This issue affects WPBulky: from n/a through <= 1.1.13.

AnalysisAI

Blind SQL injection in WPBulky WordPress plugin through version 1.1.13 allows high-privileged authenticated attackers to extract database contents and potentially cause limited service disruption. The vulnerability exists in the bulk edit functionality where user-supplied input is improperly sanitized before inclusion in SQL queries. With EPSS score of 0.04% (12th percentile) and no public exploit code identified, immediate mass exploitation appears unlikely, though administrator-level compromise could enable data exfiltration from WordPress databases.

Technical ContextAI

WPBulky is a WordPress plugin providing bulk editing capabilities for post types. The vulnerability stems from CWE-89 (SQL Injection) where special SQL metacharacters in user input are not properly neutralized before being incorporated into database queries. As a blind SQL injection, attackers cannot see query results directly but can infer data through timing attacks or boolean-based techniques, extracting information character-by-character. The changed scope (S:C) in the CVSS vector indicates the vulnerable component (plugin) operates with different privileges than the WordPress core, allowing potential access beyond the plugin's intended security boundary to the underlying database layer.

Affected ProductsAI

VillaTheme WPBulky (WordPress plugin) versions from earliest release through 1.1.13 are confirmed vulnerable. The plugin provides bulk editing functionality for WordPress post types. Full remediation details are available in the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/wpbulky-wp-bulk-edit-post-types/vulnerability/wordpress-wpbulky-plugin-1-1-13-sql-injection-vulnerability.

RemediationAI

Update WPBulky to version 1.1.14 or later if available, verifying the vendor has addressed CVE-2025-68550 in release notes. Check the official WordPress plugin repository or VillaTheme website for the patched version. Until patching is possible, implement defense-in-depth controls: restrict WordPress administrator role assignments to only essential personnel, enable two-factor authentication for all admin accounts to prevent credential compromise, review admin account activity logs for suspicious bulk edit operations, and consider temporarily disabling the WPBulky plugin if bulk editing functionality is not immediately required. For production sites, implement web application firewall rules to detect SQL injection patterns in POST requests to WPBulky endpoints, though this provides incomplete protection against blind injection techniques. Full advisory and patch confirmation: https://patchstack.com/database/Wordpress/Plugin/wpbulky-wp-bulk-edit-post-types/vulnerability/wordpress-wpbulky-plugin-1-1-13-sql-injection-vulnerability.

Share

CVE-2025-68550 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy