Cyber Posture

CVE-2025-31466

High

Published: 28 March 2025

Published
28 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.0016 36.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31466 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Databases (T1213.006); ranked at the 36.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Databases (T1213.006). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of information inputs to neutralize special elements, directly preventing blind SQL injection as exploited in this WordPress plugin CVE.

SI-2 Flaw Remediation good match
prevent

Mandates identification, reporting, and remediation of flaws like this SQL injection vulnerability through plugin patching.

RA-5 Vulnerability Monitoring and Scanning good match
preventdetect

Vulnerability scanning identifies SQL injection flaws in plugins like Duplicate Page and Post, enabling timely remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

The blind SQL injection vulnerability directly enables low-privileged authenticated users to extract sensitive data from the WordPress database via malicious SQL payloads, facilitating the Databases subtechnique under Data from Information Repositories.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Falcon Solutions Duplicate Page and Post duplicate-post-and-page allows Blind SQL Injection.This issue affects Duplicate Page and Post: from n/a through <= 1.0.

Deeper analysisAI

CVE-2025-31466 is an Improper Neutralization of Special Elements used in an SQL Command vulnerability, classified as Blind SQL Injection (CWE-89), affecting the WordPress plugin Duplicate Page and Post (duplicate-post-and-page) developed by Falcon Solutions. The issue impacts all versions from n/a through 1.0 inclusive. It carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), indicating high severity due to network accessibility, low attack complexity, and low privileges required.

Low-privileged authenticated users (PR:L) can exploit this vulnerability remotely over the network without user interaction. By injecting malicious SQL payloads, attackers can perform blind SQL injection techniques to extract sensitive data from the database, achieving high confidentiality impact (C:H). The changed scope (S:C) and low availability impact (A:L) further elevate the risk in WordPress environments.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/duplicate-post-and-page/vulnerability/wordpress-duplicate-page-and-post-1-0-sql-injection-vulnerability?_s_id=cve provides details on the vulnerability, including recommended mitigations such as updating to a patched version if available or disabling the plugin.

Details

CWE(s)
CWE-89

CVEs Like This One

CVE-2025-22710Shared CWE-89
CVE-2025-30791Shared CWE-89
CVE-2025-24587Shared CWE-89
CVE-2024-57770Shared CWE-89
CVE-2026-32366Shared CWE-89
CVE-2025-30571Shared CWE-89
CVE-2026-42646Shared CWE-89
CVE-2026-39486Shared CWE-89
CVE-2025-31542Shared CWE-89
CVE-2025-23784Shared CWE-89

References