CVE-2025-22527
Published: 09 January 2025
Summary
CVE-2025-22527 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-22527 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89. It affects the WordPress plugin Mailing Group Listserv (wp-mailing-group) developed by Yamna Khawaja, impacting all versions from n/a through 2.0.9. The vulnerability was published on 2025-01-09.
The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L). High-privileged users (PR:H), such as administrators, can exploit it remotely over the network with low attack complexity and no user interaction. Successful exploitation enables high-impact confidentiality violations, such as extracting sensitive data from the database, alongside low availability impact and changed scope, but no integrity impact.
Advisories, including the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/wp-mailing-group/vulnerability/wordpress-mailing-group-listserv-plugin-2-0-9-sql-injection-vulnerability?_s_id=cve, detail the SQL injection issue in version 2.0.9 and associated mitigation guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2805
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yamna Khawaja Mailing Group Listserv wp-mailing-group allows SQL Injection.This issue affects Mailing Group Listserv: from n/a through <= 2.0.9.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing WordPress plugin directly enables exploitation of the web application (T1190) and extraction of data from backend databases (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by requiring validation of user inputs used in SQL commands within the vulnerable wp-mailing-group plugin.
Ensures timely remediation of the specific SQL injection flaw in wp-mailing-group versions through n/a to 2.0.9 by patching or removing the plugin.
Identifies the CVE-2025-22527 vulnerability in the WordPress plugin through regular vulnerability scanning and monitoring.