CVE-2025-22351
Published: 07 January 2025
Summary
CVE-2025-22351 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-22351 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, affecting the penguinarts Contact Form 7 Database – CFDB7 WordPress plugin (advanced-cf7-database). This issue impacts versions from n/a through 1.0.0 inclusive. The vulnerability was published on 2025-01-07.
The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L). Attackers with network access and high privileges, such as authenticated WordPress users with elevated permissions, can exploit it with low complexity and no user interaction. Successful exploitation enables arbitrary SQL command injection, resulting in high confidentiality impact through unauthorized data access, a changed scope affecting additional components, and low availability impact.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/advanced-cf7-database/vulnerability/wordpress-contact-form-7-database-cfdb7-plugin-1-0-0-sql-injection-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2750
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in penguinarts Contact Form 7 Database – CFDB7 advanced-cf7-database allows SQL Injection.This issue affects Contact Form 7 Database – CFDB7: from n/a through <= 1.0.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a publicly accessible WordPress plugin directly enables exploitation of a web application for unauthorized database access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validating and sanitizing user inputs to Contact Form 7 Database plugin to prevent SQL injection exploitation as described in this CVE.
Mandates timely identification, reporting, and patching of flaws like this SQL injection vulnerability in the CFDB7 plugin up to version 1.0.0.
Enforces least privilege to restrict high-privilege WordPress accounts (PR:H) required to trigger the SQL injection, reducing the attack surface.