Cyber Resilience

CVE-2025-1648

HighPublic PoC

Published: 25 February 2025

Published
25 February 2025
Modified
28 February 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0101 77.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1648 is a high-severity SQL Injection (CWE-89) vulnerability in Yawave Yawave. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

The Yawave plugin for WordPress is vulnerable to SQL injection via the 'lbid' parameter in all versions through 2.9.1. The flaw arises from insufficient escaping of user input combined with the lack of prepared statements when constructing SQL queries in the liveblog shortcode handler, allowing arbitrary query manipulation.

Unauthenticated remote attackers can supply crafted values to the parameter and append additional SQL statements to existing queries. Successful exploitation yields extraction of sensitive information from the database without requiring authentication or user interaction, consistent with the CVSS 7.5 rating that emphasizes high confidentiality impact.

Public references point to the affected code path and third-party analyses, but no specific patch version, mitigation steps, or official advisory guidance on remediation are detailed in the available information. The associated EPSS scores remain low with only a minor increase between current and peak values.

EU & UK References

Vulnerability details

The Yawave plugin for WordPress is vulnerable to SQL Injection via the 'lbid' parameter in all versions up to, and including, 2.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL…

more

query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated SQL injection in public-facing WordPress plugin enables remote exploitation of web application for database data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89
CVE-2026-33078Shared CWE-89
CVE-2026-46359Shared CWE-89
CVE-2025-22691Shared CWE-89

Affected Assets

yawave
yawave
≤ 2.9.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly counters SQL injection by requiring validation and sanitization of user-supplied inputs like the 'lbid' parameter to prevent query manipulation.

prevent

Mandates timely flaw remediation, such as patching the Yawave plugin to fix the insufficient escaping and preparation in versions up to 2.9.1.

detect

Requires vulnerability scanning to identify the SQL injection flaw in the Yawave plugin, enabling proactive remediation before exploitation.

References