CVE-2025-22533
Published: 07 January 2025
Summary
CVE-2025-22533 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-22533 is an improper neutralization of special elements used in an SQL command, resulting in a SQL injection vulnerability (CWE-89), affecting the WOOEXIM WordPress plugin developed by bulktheme. The issue impacts all versions of WOOEXIM from unknown initial versions through 5.0.0 inclusive. Published on 2025-01-07, it carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L).
High-privileged users, such as those with administrative access, can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation enables high-impact confidentiality violations, such as unauthorized access to sensitive database information, alongside low availability disruption and changed scope, though integrity remains unaffected.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wooexim/vulnerability/wordpress-wooexim-plugin-5-0-0-sql-injection-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2811
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bulktheme WOOEXIM wooexim allows SQL Injection.This issue affects WOOEXIM: from n/a through <= 5.0.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a WordPress web plugin directly enables remote exploitation of a public-facing application (T1190) by high-privileged users to access database contents.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by requiring validation and neutralization of special elements in user inputs used for SQL commands in the WOOEXIM plugin.
Mitigates the specific SQL injection flaw in WOOEXIM versions through n/a to 5.0.0 by identifying, prioritizing, and remediating the vulnerability via patching.
Detects SQL injection vulnerabilities like CVE-2025-22533 in the WordPress plugin through vulnerability scanning and supports remediation to prevent exploitation.