CVE-2025-0861

Medium

Published: 30 January 2025

Published

30 January 2025

Modified

08 April 2026

KEV Added

—

Patch

—

CVSS Score 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0012 31.0th percentile

Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0861 is a medium-severity SQL Injection (CWE-89) vulnerability in Vruiz Vr-Frases. Its CVSS base score is 4.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly prevents SQL injection by requiring validation and sanitization of user-supplied parameters before use in database queries, addressing the insufficient escaping in this WordPress plugin.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates identification, reporting, and correction of flaws like this SQL injection vulnerability, ensuring timely patching of the affected plugin versions.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

RA-5 requires vulnerability scanning that can identify SQL injection issues like CVE-2025-0861 in web applications and plugins prior to exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing WordPress plugin directly enables T1190 exploitation for initial access and facilitates T1213.006 database data exfiltration.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The VR-Frases (collect & share quotes) plugin for WordPress is vulnerable to SQL Injection via several parameters in all versions up to, and including, 3.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on…

the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Deeper analysisAI

CVE-2025-0861 is a SQL injection vulnerability (CWE-89) in the VR-Frases (collect & share quotes) plugin for WordPress, affecting all versions up to and including 3.0.1. The issue stems from insufficient escaping of user-supplied parameters and lack of sufficient preparation in existing SQL queries, impacting several parameters in the plugin's code.

Unauthenticated attackers can exploit the vulnerability by appending additional SQL queries to existing ones, allowing extraction of sensitive information from the database. The CVSS v3.1 base score is 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N), reflecting high confidentiality impact over the network with low attack complexity but high privileges required.

Mitigation details are referenced in advisories including the plugin source code at https://plugins.svn.wordpress.org/vr-frases/tags/3.0.1/includes/vr-frases-admin.php, a changeset at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3278561%40vr-frases&new=3278561%40vr-frases&sfp_email=&sfph_mail=, and Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/1d9d5afb-d38d-442c-8511-f1683739a1da?source=cve. The vulnerability was published on 2025-01-30.