CVE-2025-26755
Published: 16 February 2025
Summary
CVE-2025-26755 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-26755 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability (CWE-89) that enables Blind SQL Injection in the WP Airbnb Review Slider plugin (wp-airbnb-review-slider) developed by jgwhite33 for WordPress. The flaw affects all versions of the plugin from its initial release through 3.9 inclusive. Published on 2025-02-16, it carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L).
Exploitation requires network access with low complexity and high privileges (PR:H), such as those held by authenticated WordPress users with elevated roles like administrators. No user interaction is needed. Attackers can achieve high confidentiality impact by extracting sensitive data from the database via blind SQL injection techniques, with low availability impact and no integrity impact, while changing the scope of the affected component.
The Patchstack advisory provides further details on this vulnerability in the WP Airbnb Review Slider plugin up to version 3.9, available at https://patchstack.com/database/Wordpress/Plugin/wp-airbnb-review-slider/vulnerability/wordpress-wp-airbnb-review-slider-plugin-3-9-sql-injection-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4235
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in jgwhite33 WP Airbnb Review Slider wp-airbnb-review-slider allows Blind SQL Injection.This issue affects WP Airbnb Review Slider: from n/a through <= 3.9.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in public-facing WordPress plugin directly enables T1190 (exploitation of public-facing application) and facilitates T1213.006 (data collection from databases) via blind SQL injection for exfiltrating sensitive DB data.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the specific SQL injection flaw in the WP Airbnb Review Slider plugin through timely patching directly eliminates the vulnerability.
Validating and sanitizing information inputs prevents improper neutralization of special elements used in SQL commands, directly countering blind SQL injection.
Enforcing least privilege limits the availability of high-privilege accounts (PR:H) needed to trigger the SQL injection vulnerability.