CVE-2025-1446
Published: 23 March 2025
Summary
CVE-2025-1446 is a critical-severity SQL Injection (CWE-89) vulnerability in Podsfoundation Pods. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-1446 is a SQL injection vulnerability (CWE-89) affecting the Pods WordPress plugin in versions before 3.2.8.2. The plugin fails to sanitize and escape a parameter before incorporating it into a SQL statement, enabling injection attacks. Published on 2025-03-23, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, no privileges or user interaction required, and high impacts across confidentiality, integrity, and availability.
Although the description specifies that the flaw allows admins to perform SQL injection attacks, the CVSS metrics suggest unauthenticated remote attackers can exploit it over the network. Successful exploitation could enable attackers to manipulate database queries, potentially extracting sensitive data, modifying records, or disrupting service.
Advisories from WPScan detail the issue and recommend updating to Pods version 3.2.8.2 or later to mitigate the vulnerability. Additional details are available at https://wpscan.com/vulnerability/c170fb45-7ed5-40ef-99f6-8da035a23d89/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8026
Vulnerability details
The Pods WordPress plugin before 3.2.8.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in a public-facing WordPress plugin directly enables remote exploitation of the application over the network without authentication.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly requires information input validation mechanisms to sanitize and escape parameters before use in SQL statements, preventing SQL injection attacks like CVE-2025-1446.
SI-2 mandates timely identification, reporting, and correction of system flaws, such as updating the Pods WordPress plugin to version 3.2.8.2 or later to remediate the SQL injection vulnerability.
RA-5 requires vulnerability scanning to identify the presence of the vulnerable Pods plugin version, enabling proactive detection and remediation of CVE-2025-1446.