CVE-2025-24659
Published: 24 January 2025
Summary
CVE-2025-24659 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-24659 is a blind SQL injection vulnerability (CWE-89) in the WPDM – Premium Packages WordPress plugin. The flaw stems from improper neutralization of special elements in SQL commands and affects all versions through 5.9.6.
An authenticated user with high privileges can exploit the issue over the network with low attack complexity. Successful exploitation allows the attacker to perform blind SQL injection, resulting in high confidentiality impact on the database, limited availability effects, and a scope change as indicated by the CVSS 7.6 rating.
The single reference points to a Patchstack advisory entry for the plugin. The EPSS score rose from a low baseline to a peak of 0.0394, indicating emerging post-disclosure exploitation interest that warrants renewed attention for instances still running vulnerable versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3854
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjada WPDM – Premium Packages wpdm-premium-packages allows Blind SQL Injection.This issue affects WPDM – Premium Packages: from n/a through <= 5.9.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in public-facing WordPress plugin directly enables T1190 for application exploitation and facilitates T1213.006 for database data extraction via blind queries.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely flaw remediation, such as patching the WPDM Premium Packages plugin beyond version 5.9.6 to eliminate the SQL injection vulnerability.
Mandates validation of information inputs to neutralize special elements that enable blind SQL injection in the plugin's SQL commands.
Provides vulnerability scanning to identify and assess the SQL injection flaw in the WordPress plugin for prioritized remediation.