CVE-2025-22785
Published: 15 January 2025
Summary
CVE-2025-22785 is a critical-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability is an SQL injection issue, tracked as CWE-89, in the ComMotion Course Booking System WordPress plugin. It affects all versions from n/a through 6.0.6 and stems from improper neutralization of special elements in SQL commands.
Unauthenticated remote attackers can exploit the flaw over the network with low attack complexity and no user interaction required. Successful exploitation allows injection of arbitrary SQL statements, resulting in high confidentiality impact, limited availability impact, and a changed scope per the CVSS 9.3 rating.
The Patchstack advisory linked in the reference provides further details on the affected plugin versions. The EPSS score has remained flat at a peak of 0.1502 with no material rise observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2994
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ComMotion Course Booking System course-booking-system allows SQL Injection.This issue affects Course Booking System: from n/a through <= 6.0.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing WordPress plugin enables remote unauthenticated exploitation of the application for initial access and direct unauthorized database data retrieval.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires input validation and sanitization to neutralize special elements in SQL commands, preventing SQL injection exploitation in the vulnerable WordPress plugin.
Mandates timely identification, reporting, and remediation of known flaws like this SQL injection vulnerability through patching the affected course-booking-system plugin up to version 6.0.6.
Boundary protection devices such as web application firewalls monitor and block network-based SQL injection attempts targeting the unauthenticated vulnerability.