CVE-2025-26946
Published: 25 February 2025
Summary
CVE-2025-26946 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-26946 is an Improper Neutralization of Special Elements used in an SQL Command vulnerability, classified as Blind SQL Injection (CWE-89), in the WP Yelp Review Slider WordPress plugin developed by jgwhite33. This flaw affects the plugin from unknown initial versions through version 8.1 inclusive.
The vulnerability can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), requiring high privileges (PR:H) such as those of an authenticated administrator, and no user interaction (UI:N). Attackers achieving exploitation gain changed scope (S:C), resulting in high confidentiality impact (C:H) for potential data exfiltration through blind SQL injection techniques, with no integrity impact (I:N) and low availability impact (A:L), yielding a CVSS v3.1 base score of 7.6.
Patchstack advisories document the SQL injection vulnerability in WP Yelp Review Slider plugin version 8.1, providing details via their vulnerability database entry.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5404
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in jgwhite33 WP Yelp Review Slider wp-yelp-review-slider allows Blind SQL Injection.This issue affects WP Yelp Review Slider: from n/a through <= 8.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in public-facing WordPress plugin directly enables exploitation of public-facing applications for data exfiltration from the database.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates blind SQL injection by requiring validation of all information inputs used in SQL commands to neutralize special elements.
Ensures timely flaw remediation through patching the specific SQL injection vulnerability in WP Yelp Review Slider versions up to 8.1.
Vulnerability scanning identifies the blind SQL injection flaw in the plugin, enabling proactive remediation.