Cyber Posture

CVE-2025-24728

High

Published: 24 January 2025

Published
24 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.0008 22.4th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24728 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the blind SQL injection vulnerability in the Bug Library WordPress plugin by identifying, reporting, and applying patches up to version 2.1.4.

SI-10 Information Input Validation good match
prevent

Prevents exploitation of the improper neutralization of special elements in SQL commands by enforcing validation of information inputs to the plugin.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Detects the SQL injection vulnerability through systematic vulnerability scanning of the WordPress plugin and hosted applications.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

SQL injection in public-facing WordPress plugin allows authenticated low-priv users to extract DB data (high C impact, scope change), directly enabling public app exploitation (T1190), priv esc (T1068), and DB info repo access (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yannick Lefebvre Bug Library bug-library allows Blind SQL Injection.This issue affects Bug Library: from n/a through <= 2.1.4.

Deeper analysisAI

CVE-2025-24728 is an Improper Neutralization of Special Elements used in an SQL Command vulnerability, classified as SQL Injection (CWE-89), specifically enabling Blind SQL Injection in the Bug Library WordPress plugin developed by Yannick Lefebvre. This issue affects all versions of the plugin from unknown initial release through 2.1.4.

The vulnerability carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), indicating it can be exploited over the network with low attack complexity by users possessing low privileges, such as authenticated low-level WordPress users, without requiring user interaction. Successful exploitation changes the scope, allowing high-impact confidentiality violations through data extraction via blind SQL injection techniques, with no integrity impact and only low availability disruption.

Details on mitigation, including patches for the WordPress Bug Library plugin vulnerability up to version 2.1.4, are provided in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/bug-library/vulnerability/wordpress-bug-library-plugin-2-1-4-sql-injection-vulnerability?_s_id=cve.

Details

CWE(s)
CWE-89

CVEs Like This One

CVE-2026-22206Shared CWE-89
CVE-2026-32321Shared CWE-89
CVE-2024-48245Shared CWE-89
CVE-2026-29174Shared CWE-89
CVE-2025-24490Shared CWE-89
CVE-2024-57430Shared CWE-89
CVE-2026-23492Shared CWE-89
CVE-2025-26200Shared CWE-89
CVE-2019-25541Shared CWE-89
CVE-2025-25116Shared CWE-89

References