CVE-2025-30921
Published: 27 March 2025
Summary
CVE-2025-30921 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-30921 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, in Tribulant Software's Newsletters newsletters-lite WordPress plugin. The issue affects all versions from n/a through 4.9.9.7 and was published on 2025-03-27.
The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L). Attackers with high privileges can exploit it over the network with low complexity and no user interaction required. Successful exploitation enables high-impact confidentiality breaches across a changed scope, with limited availability disruption and no integrity impact.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/newsletters-lite/vulnerability/wordpress-newsletters-plugin-4-9-9-7-sql-injection-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8296
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tribulant Software Newsletters newsletters-lite allows SQL Injection.This issue affects Newsletters: from n/a through <= 4.9.9.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SQL Injection vulnerability in a public-facing WordPress plugin directly enables network-based exploitation of the application, mapping to T1190 Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of information inputs to prevent SQL injection vulnerabilities like CVE-2025-30921 in the newsletters-lite plugin.
Mandates identification, reporting, and timely patching of flaws such as this SQL injection vulnerability affecting versions through 4.9.9.7.
Provides vulnerability scanning to identify and prioritize remediation of SQL injection flaws like CVE-2025-30921 in deployed systems.