Cyber Resilience

CVE-2025-1446

CriticalPublic PoC

Published: 23 March 2025

Published
23 March 2025
Modified
02 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0013 31.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1446 is a critical-severity SQL Injection (CWE-89) vulnerability in Podsfoundation Pods. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-1446 is a SQL injection vulnerability (CWE-89) affecting the Pods WordPress plugin in versions before 3.2.8.2. The plugin fails to sanitize and escape a parameter before incorporating it into a SQL statement, enabling injection attacks. Published on 2025-03-23, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, no privileges or user interaction required, and high impacts across confidentiality, integrity, and availability.

Although the description specifies that the flaw allows admins to perform SQL injection attacks, the CVSS metrics suggest unauthenticated remote attackers can exploit it over the network. Successful exploitation could enable attackers to manipulate database queries, potentially extracting sensitive data, modifying records, or disrupting service.

Advisories from WPScan detail the issue and recommend updating to Pods version 3.2.8.2 or later to mitigate the vulnerability. Additional details are available at https://wpscan.com/vulnerability/c170fb45-7ed5-40ef-99f6-8da035a23d89/.

EU & UK References

Vulnerability details

The Pods WordPress plugin before 3.2.8.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection vulnerability in a public-facing WordPress plugin directly enables remote exploitation of the application over the network without authentication.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89
CVE-2026-33078Shared CWE-89
CVE-2026-46359Shared CWE-89
CVE-2025-22691Shared CWE-89
CVE-2026-21410Shared CWE-89

Affected Assets

podsfoundation
pods
≤ 3.2.8.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly requires information input validation mechanisms to sanitize and escape parameters before use in SQL statements, preventing SQL injection attacks like CVE-2025-1446.

prevent

SI-2 mandates timely identification, reporting, and correction of system flaws, such as updating the Pods WordPress plugin to version 3.2.8.2 or later to remediate the SQL injection vulnerability.

detect

RA-5 requires vulnerability scanning to identify the presence of the vulnerable Pods plugin version, enabling proactive detection and remediation of CVE-2025-1446.

References