CVE-2025-14124
Published: 05 January 2026
Summary
CVE-2025-14124 is a high-severity an unspecified weakness vulnerability. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The Team WordPress plugin before version 5.0.11 contains a SQL injection vulnerability because it fails to properly sanitize and escape a parameter supplied to an AJAX action before incorporating the value into a SQL statement. The flaw is reachable without authentication and carries a CVSS 3.1 score of 8.6, reflecting network attack vector, low complexity, and changed scope with high confidentiality impact.
Unauthenticated attackers can invoke the affected AJAX endpoint to inject arbitrary SQL, enabling extraction of sensitive data from the database. Because the action is publicly accessible, exploitation requires no credentials or user interaction.
The WPScan advisory at the referenced URL identifies the issue and recommends updating the plugin to version 5.0.11 or later. EPSS for the CVE rose from lower values to a peak of 0.1033 on 2026-05-07 before receding to the current 0.0736, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-0837
Vulnerability details
The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing WordPress plugin enables unauthenticated remote exploitation of public-facing application (T1190) and arbitrary database queries for sensitive data extraction (T1213.006).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the unauthenticated AJAX parameter before its use in SQL statements, preventing SQL injection execution.
Mandates identification, reporting, and timely remediation of the SQL injection flaw by patching The Team WordPress plugin to version 5.0.11 or later.
Implements boundary protection such as web application firewalls to monitor and block SQL injection attempts in publicly accessible unauthenticated AJAX endpoints.