CVE-2025-23779
Published: 16 January 2025
Summary
CVE-2025-23779 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 50.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-23779 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, affecting the ResAds WordPress plugin developed by web-mv. The issue impacts ResAds versions from unknown initial release through 2.0.5, allowing SQL Injection via the resads component.
Attackers with high privileges required (PR:H) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation changes scope (S:C), enabling high confidentiality impact (C:H) such as unauthorized data access, with no integrity impact (I:N) and low availability impact (A:L), resulting in a CVSS v3.1 base score of 7.6.
The Patchstack advisory provides details on this WordPress ResAds plugin vulnerability, including mitigation recommendations for versions up to 2.0.5, available at https://patchstack.com/database/Wordpress/Plugin/resads/vulnerability/wordpress-resads-plugin-2-0-5-sql-injection-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3412
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in web-mv ResAds resads allows SQL Injection.This issue affects ResAds: from n/a through <= 2.0.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL Injection in public-facing WordPress plugin directly enables exploitation of the web application (T1190) and facilitates unauthorized database queries for data collection (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all information inputs, including those to SQL commands in the ResAds plugin, to neutralize special elements and prevent SQL injection exploitation.
Mandates timely flaw remediation, such as patching the vulnerable ResAds plugin versions up to 2.0.5, to eliminate the SQL injection vulnerability.
Requires vulnerability scanning to identify SQL injection flaws like CVE-2025-23779 in web plugins, enabling proactive remediation.