Cyber Resilience

CVE-2025-22785

Critical

Published: 15 January 2025

Published
15 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.1502 94.7th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22785 is a critical-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is an SQL injection issue, tracked as CWE-89, in the ComMotion Course Booking System WordPress plugin. It affects all versions from n/a through 6.0.6 and stems from improper neutralization of special elements in SQL commands.

Unauthenticated remote attackers can exploit the flaw over the network with low attack complexity and no user interaction required. Successful exploitation allows injection of arbitrary SQL statements, resulting in high confidentiality impact, limited availability impact, and a changed scope per the CVSS 9.3 rating.

The Patchstack advisory linked in the reference provides further details on the affected plugin versions. The EPSS score has remained flat at a peak of 0.1502 with no material rise observed after disclosure.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ComMotion Course Booking System course-booking-system allows SQL Injection.This issue affects Course Booking System: from n/a through <= 6.0.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in public-facing WordPress plugin enables remote unauthenticated exploitation of the application for initial access and direct unauthorized database data retrieval.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2019-25537Shared CWE-89
CVE-2019-25366Shared CWE-89
CVE-2019-25496Shared CWE-89
CVE-2026-1475Shared CWE-89
CVE-2026-26990Shared CWE-89
CVE-2026-44047Shared CWE-89
CVE-2025-12865Shared CWE-89
CVE-2024-11135Shared CWE-89
CVE-2019-25491Shared CWE-89
CVE-2024-13369Shared CWE-89

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires input validation and sanitization to neutralize special elements in SQL commands, preventing SQL injection exploitation in the vulnerable WordPress plugin.

prevent

Mandates timely identification, reporting, and remediation of known flaws like this SQL injection vulnerability through patching the affected course-booking-system plugin up to version 6.0.6.

preventdetect

Boundary protection devices such as web application firewalls monitor and block network-based SQL injection attempts targeting the unauthenticated vulnerability.

References