CVE-2025-22349
Published: 07 January 2025
Summary
CVE-2025-22349 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-22349 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, affecting the WP Marka WordPress Auction Plugin (wp-auctions). This issue impacts versions from n/a through 3.7 and carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L), indicating high severity due to its potential for significant data exposure.
High-privileged users (PR:H) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Exploitation changes scope (S:C), enabling attackers to achieve high confidentiality impact (C:H) such as unauthorized data access, alongside low availability impact (A:L) and no integrity impact (I:N).
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-auctions/vulnerability/wordpress-wordpress-auction-plugin-plugin-3-7-sql-injection-vulnerability-2?_s_id=cve provides further details on the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2748
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Marka WordPress Auction Plugin wp-auctions allows SQL Injection.This issue affects WordPress Auction Plugin: from n/a through <= 3.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a WordPress plugin directly enables exploitation of a public-facing web application for unauthorized data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of information inputs to prevent SQL injection exploits like CVE-2025-22349 in the wp-auctions plugin.
Mandates identification, reporting, and timely remediation of flaws, such as patching the vulnerable WP Marka WordPress Auction Plugin to mitigate this SQL injection vulnerability.
Requires vulnerability scanning to identify SQL injection flaws like CVE-2025-22349 in plugins, enabling prioritization and remediation.