CVE-2025-26978
Published: 15 March 2025
Summary
CVE-2025-26978 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-26978 is an improper neutralization of special elements used in an SQL command, classified as an SQL injection vulnerability (CWE-89), affecting the FS Poster WordPress plugin developed by fs-code. This issue impacts all versions of FS Poster from n/a through 6.5.8. Published on 2025-03-15, it carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), reflecting high severity due to network accessibility, low attack complexity, and significant confidentiality impact.
Low-privileged authenticated users (PR:L) can exploit this vulnerability remotely over the network without requiring user interaction. Exploitation enables attackers to extract highly sensitive data from the database (C:H) and cause low-level availability disruption (A:L), with the attack propagating across a security scope change (S:C) to potentially affect other components.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/fs-poster/vulnerability/wordpress-fs-poster-plugin-6-5-8-sql-injection-vulnerability?_s_id=cve details this SQL injection vulnerability in the FS Poster plugin up to version 6.5.8.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6649
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in fs-code FS Poster fs-poster.This issue affects FS Poster: from n/a through <= 6.5.8.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SQL injection vulnerability in a public-facing WordPress plugin directly enables remote exploitation of public-facing applications (T1190) and facilitates unauthorized collection of sensitive data from the database (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by validating and neutralizing special elements in information inputs before they are processed in SQL commands.
Addresses the specific flaw in the FS Poster plugin by requiring timely remediation through patching to versions beyond 6.5.8.
Identifies the SQL injection vulnerability in the WordPress plugin through regular vulnerability scanning, enabling proactive mitigation.