Cyber Resilience

CVE-2025-26755

High

Published: 16 February 2025

Published
16 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.0006 18.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26755 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-26755 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability (CWE-89) that enables Blind SQL Injection in the WP Airbnb Review Slider plugin (wp-airbnb-review-slider) developed by jgwhite33 for WordPress. The flaw affects all versions of the plugin from its initial release through 3.9 inclusive. Published on 2025-02-16, it carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L).

Exploitation requires network access with low complexity and high privileges (PR:H), such as those held by authenticated WordPress users with elevated roles like administrators. No user interaction is needed. Attackers can achieve high confidentiality impact by extracting sensitive data from the database via blind SQL injection techniques, with low availability impact and no integrity impact, while changing the scope of the affected component.

The Patchstack advisory provides further details on this vulnerability in the WP Airbnb Review Slider plugin up to version 3.9, available at https://patchstack.com/database/Wordpress/Plugin/wp-airbnb-review-slider/vulnerability/wordpress-wp-airbnb-review-slider-plugin-3-9-sql-injection-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in jgwhite33 WP Airbnb Review Slider wp-airbnb-review-slider allows Blind SQL Injection.This issue affects WP Airbnb Review Slider: from n/a through <= 3.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection vulnerability in public-facing WordPress plugin directly enables T1190 (exploitation of public-facing application) and facilitates T1213.006 (data collection from databases) via blind SQL injection for exfiltrating sensitive DB data.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2019-25537Shared CWE-89
CVE-2019-25366Shared CWE-89
CVE-2019-25496Shared CWE-89
CVE-2026-1475Shared CWE-89
CVE-2026-26990Shared CWE-89
CVE-2026-44047Shared CWE-89
CVE-2025-12865Shared CWE-89
CVE-2024-11135Shared CWE-89
CVE-2019-25491Shared CWE-89
CVE-2024-13369Shared CWE-89

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the specific SQL injection flaw in the WP Airbnb Review Slider plugin through timely patching directly eliminates the vulnerability.

prevent

Validating and sanitizing information inputs prevents improper neutralization of special elements used in SQL commands, directly countering blind SQL injection.

prevent

Enforcing least privilege limits the availability of high-privilege accounts (PR:H) needed to trigger the SQL injection vulnerability.

References