CVE-2025-28939
Published: 26 March 2025
Summary
CVE-2025-28939 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-28939 is an improper neutralization of special elements used in an SQL command, classified as a Blind SQL Injection vulnerability (CWE-89), affecting the WP Google Calendar Manager plugin (wp-gcalendar) for WordPress developed by EuroCizia. The issue impacts all versions from n/a through 2.1 inclusive, with a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).
Low-privileged authenticated users can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation enables high confidentiality impact through data exfiltration via blind SQL injection techniques, low availability disruption, and scope change affecting the broader system, while integrity remains unaffected.
Advisories, including the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/wp-gcalendar/vulnerability/wordpress-wp-google-calendar-manager-plugin-2-1-sql-injection-vulnerability?_s_id=cve, provide further details on the vulnerability and recommended mitigations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8136
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in EuroCizia WP Google Calendar Manager wp-gcalendar allows Blind SQL Injection.This issue affects WP Google Calendar Manager: from n/a through <= 2.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Blind SQL injection in public-facing WordPress plugin directly enables exploitation of the web application for data exfiltration.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents blind SQL injection by requiring validation and sanitization of untrusted inputs used in SQL commands within the WP Google Calendar Manager plugin.
Addresses the specific flaw in WP Google Calendar Manager versions through 2.1 by mandating timely identification, reporting, and patching of the SQL injection vulnerability.
Enables proactive detection of CVE-2025-28939 through regular vulnerability scanning of the WordPress plugin, facilitating remediation before exploitation.