Cyber Resilience

CVE-2025-23784

High

Published: 22 January 2025

Published
22 January 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.0018 40.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23784 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Databases (T1213.006); ranked at the 40.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-23784 is an SQL injection vulnerability (CWE-89) stemming from improper neutralization of special elements used in an SQL command. It affects the WordPress plugin "Contact Form 7 Round Robin Lead Distribution" by David Jeffrey, with the flaw present in all versions up to and including 1.2.1.

The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L). Attackers with high privileges, such as authenticated administrators, can exploit it remotely over the network with low attack complexity and no user interaction required. Successful exploitation enables high-impact confidentiality violations, such as unauthorized data extraction from the database, alongside low availability disruption and a changed scope, but no integrity impact.

Mitigation details are available in advisories like the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/contact-form-7-round-robin-lead-distribution/vulnerability/wordpress-contact-form-7-round-robin-lead-distribution-plugin-1-2-1-sql-injection-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Jeffrey Contact Form 7 Round Robin Lead Distribution contact-form-7-round-robin-lead-distribution allows SQL Injection.This issue affects Contact Form 7 Round Robin Lead Distribution: from n/a through <=…

more

1.2.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection enables authenticated admins to extract data from the database, directly facilitating T1213.006 (Data from Information Repositories: Databases).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-30571Shared CWE-89
CVE-2024-57775Shared CWE-89
CVE-2026-29081Shared CWE-89
CVE-2026-48232Shared CWE-89
CVE-2025-30791Shared CWE-89
CVE-2026-32366Shared CWE-89
CVE-2024-57770Shared CWE-89
CVE-2025-22710Shared CWE-89
CVE-2025-31466Shared CWE-89
CVE-2026-40745Shared CWE-89

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation of information inputs to neutralize special elements, directly preventing SQL injection exploits like CVE-2025-23784.

prevent

SI-2 requires identification, reporting, and correction of system flaws, enabling patching of the vulnerable Contact Form 7 Round Robin Lead Distribution plugin.

prevent

SI-9 enforces restrictions on information inputs such as types, lengths, and ranges, mitigating SQL injection by blocking malicious payloads.

References