Cyber Resilience

CVE-2025-14124

High

Published: 05 January 2026

Published
05 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0156 72.0th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2025-14124 is a high-severity an unspecified weakness vulnerability. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The Team WordPress plugin before version 5.0.11 contains a SQL injection vulnerability because it fails to properly sanitize and escape a parameter supplied to an AJAX action before incorporating the value into a SQL statement. The flaw is reachable without authentication and carries a CVSS 3.1 score of 8.6, reflecting network attack vector, low complexity, and changed scope with high confidentiality impact.

Unauthenticated attackers can invoke the affected AJAX endpoint to inject arbitrary SQL, enabling extraction of sensitive data from the database. Because the action is publicly accessible, exploitation requires no credentials or user interaction.

The WPScan advisory at the referenced URL identifies the issue and recommends updating the plugin to version 5.0.11 or later. EPSS for the CVE rose from lower values to a peak of 0.1033 on 2026-05-07 before receding to the current 0.0736, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

CWE(s)
None listed

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in public-facing WordPress plugin enables unauthenticated remote exploitation of public-facing application (T1190) and arbitrary database queries for sensitive data extraction (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the unauthenticated AJAX parameter before its use in SQL statements, preventing SQL injection execution.

prevent

Mandates identification, reporting, and timely remediation of the SQL injection flaw by patching The Team WordPress plugin to version 5.0.11 or later.

preventdetect

Implements boundary protection such as web application firewalls to monitor and block SQL injection attempts in publicly accessible unauthenticated AJAX endpoints.

References