CVE-2025-68550

2025-12-23 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 23, 2025 - 12:15 nvd
N/A

Tags

WordPress PHP SQLi

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VillaTheme WPBulky wpbulky-wp-bulk-edit-post-types allows Blind SQL Injection.This issue affects WPBulky: from n/a through <= 1.1.13.

Analysis

Blind SQL injection in VillaTheme WPBulky plugin through version 1.1.13 allows attackers to extract sensitive data from WordPress databases via improper neutralization of SQL command elements. The vulnerability affects the wpbulky-wp-bulk-edit-post-types plugin and is confirmed by security audit firm Patchstack, though no public exploit code or active exploitation has been documented at time of analysis.

Technical Context

This vulnerability stems from CWE-89 (SQL Injection), a classic input validation flaw where user-supplied data is concatenated into SQL queries without proper sanitization or parameterized query preparation. The WPBulky plugin, used for bulk editing WordPress post types, likely processes user input through vulnerable query construction in its post editing workflows. Blind SQL injection specifically allows attackers to infer database structure and content through boolean-based or time-based inference techniques, even when error messages are suppressed. The affected component handles bulk operations that interact directly with the WordPress database layer, making it a critical integration point.

Affected Products

VillaTheme WPBulky (wpbulky-wp-bulk-edit-post-types) through version 1.1.13. The vulnerability affects all installations of this WordPress plugin up to and including version 1.1.13. Details and vulnerability information are documented in the Patchstack vulnerability database (https://patchstack.com/database/Wordpress/Plugin/wpbulky-wp-bulk-edit-post-types/vulnerability/wordpress-wpbulky-plugin-1-1-13-sql-injection-vulnerability).

Remediation

Update WPBulky to a version released after 1.1.13. Users should navigate to their WordPress plugin dashboard, locate WPBulky, and install the latest available update, which should include input validation and prepared statement fixes to eliminate the SQL injection vector. If no patched version is immediately available, deactivate and remove the plugin until a security update is released. Consult the Patchstack database entry (https://patchstack.com/database/Wordpress/Plugin/wpbulky-wp-bulk-edit-post-types) for confirmation of patch availability and version release timelines. Additionally, implement WordPress security best practices including limited admin access and regular security audits of custom database queries.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-68550 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy