CVE-2025-68881
Published: 22 January 2026
Summary
CVE-2025-68881 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-68881 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, in the AppExperts WordPress plugin developed by Saad Iqbal. The issue affects AppExperts versions from n/a through 1.4.5 and was published on 2026-01-22.
The vulnerability carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L). Low-privileged authenticated users can exploit it remotely over the network with low attack complexity and no user interaction required, achieving high impact on confidentiality, low impact on availability, and a changed scope.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/appexperts/vulnerability/wordpress-appexperts-plugin-1-4-5-sql-injection-vulnerability?_s_id=cve.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4007
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saad Iqbal AppExperts appexperts allows SQL Injection.This issue affects AppExperts: from n/a through <= 1.4.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing WordPress plugin directly enables remote exploitation of an internet-accessible application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates SQL injection by requiring validation of user inputs to neutralize special elements before use in SQL commands.
Ensures timely remediation of known flaws like this SQL injection vulnerability in the AppExperts WordPress plugin through patching.
Vulnerability scanning identifies SQL injection issues such as CVE-2025-68881 and drives their remediation.