CVE-2025-14124
Description
The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated SQL injection in the Team WordPress plugin before 5.0.11 via an unsanitized AJAX parameter.
The Team WordPress plugin before version 5.0.11 contains an unauthenticated SQL injection vulnerability. The plugin fails to properly sanitize and escape a parameter before using it in a SQL statement within an AJAX action that is available to unauthenticated users [1]. This allows an attacker to inject arbitrary SQL commands.
An attacker can exploit this vulnerability by sending a crafted AJAX request to the vulnerable endpoint without needing any authentication. The lack of input sanitization means the attacker can manipulate the SQL query executed by the plugin [1].
Successful exploitation could allow an unauthenticated attacker to extract sensitive data from the database, such as user credentials or other private information. Depending on the database configuration, it might also be possible to modify or delete data [1].
The vulnerability has been fixed in version 5.0.11 of the plugin. Users are strongly advised to update to the latest version to mitigate the risk [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.