Cyber Posture

CVE-2025-31542

High

Published: 31 March 2025

Published
31 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.0016 36.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31542 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Databases (T1213.006); ranked at the 36.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Databases (T1213.006). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 requires validation of information inputs to neutralize special elements, directly preventing blind SQL injection exploitation in the vulnerable WordPress plugin.

SI-2 Flaw Remediation good match
prevent

SI-2 mandates identification and timely remediation of system flaws, directly addressing the need to patch the My Auctions Allegro plugin versions up to 3.6.20.

RA-5 Vulnerability Monitoring and Scanning good match
detect

RA-5 requires vulnerability scanning to identify SQL injection vulnerabilities like CVE-2025-31542 in web plugins prior to exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

The blind SQL injection vulnerability in the WordPress plugin directly enables extraction of sensitive data from the database by low-privileged authenticated users, mapping to T1213.006 Data from Information Repositories: Databases.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Blind SQL Injection.This issue affects My auctions allegro: from n/a through <= 3.6.20.

Deeper analysisAI

CVE-2025-31542 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, specifically enabling Blind SQL Injection (CWE-89), in the WordPress plugin My Auctions Allegro (my-auctions-allegro-free-edition) developed by wphocus. The issue affects all versions of the plugin up to and including 3.6.20. Published on 2025-03-31, it carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), indicating high severity due to its network accessibility, low complexity, and potential for significant confidentiality impact.

The vulnerability can be exploited remotely by low-privileged authenticated users (PR:L) with low attack complexity and no user interaction required. Successful exploitation allows attackers to perform blind SQL injection, achieving high confidentiality impact (C:H) by extracting sensitive data from the database, alongside low availability impact (A:L) and a scope change (S:C) that amplifies the consequences beyond the vulnerable component.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-20-sql-injection-vulnerability?_s_id=cve details the vulnerability and recommends updating to a patched version beyond 3.6.20 to mitigate the issue.

Details

CWE(s)
CWE-89

CVEs Like This One

CVE-2025-22710Shared CWE-89
CVE-2025-30791Shared CWE-89
CVE-2025-24587Shared CWE-89
CVE-2024-57770Shared CWE-89
CVE-2026-32366Shared CWE-89
CVE-2025-30571Shared CWE-89
CVE-2026-42646Shared CWE-89
CVE-2026-39486Shared CWE-89
CVE-2025-23784Shared CWE-89
CVE-2025-31466Shared CWE-89

References