CVE-2025-30784
Published: 27 March 2025
Summary
CVE-2025-30784 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-30784 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, affecting the WP Subscription Forms plugin (wp-subscription-forms) for WordPress developed by WP Shuffle. This issue impacts all versions of the plugin from n/a through 1.2.3, as published on 2025-03-27.
The vulnerability carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), indicating it can be exploited over the network by a low-privileged authenticated user with low attack complexity and no user interaction. Exploitation enables high confidentiality impact, such as unauthorized data extraction from the database, alongside low availability disruption, with a changed scope that may affect additional resources.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-subscription-forms/vulnerability/wordpress-wp-subscription-forms-1-2-3-sql-injection-vulnerability?_s_id=cve. Security practitioners should review this reference for patching guidance and update affected WordPress installations accordingly.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8397
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Shuffle WP Subscription Forms wp-subscription-forms allows SQL Injection.This issue affects WP Subscription Forms: from n/a through <= 1.2.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing WordPress plugin directly enables exploitation of the web application (T1190) and facilitates unauthorized database data extraction (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Information input validation directly prevents SQL injection in CVE-2025-30784 by checking and sanitizing user inputs before incorporation into SQL commands.
Flaw remediation requires identifying and patching the vulnerable WP Subscription Forms plugin versions through 1.2.3 to eliminate the SQL injection vulnerability.
Boundary protection at network interfaces using web application firewalls can block or detect SQL injection payloads exploiting the plugin's improper input neutralization.