CVE-2025-14973

The Recipe Card Blocks Lite WordPress plugin, in versions prior to 3.4.13, fails to properly sanitize and escape a parameter before incorporating it into a SQL statement [1]. This omission introduces a classic SQL injection vulnerability, as the unsanitized user-supplied input is directly used within database queries without proper validation or escaping [1].

The vulnerability can be exploited by any authenticated user with at least the Contributor role, a lower-level authoring privilege in WordPress [1]. An attacker with such access can inject arbitrary SQL commands through a vulnerable parameter, potentially manipulating the plugin's database interactions. No special network position is required beyond being a logged-in contributor on the affected WordPress site.

Successful exploitation allows an attacker to execute arbitrary SQL queries against the WordPress database [1]. This could lead to unauthorized reading of sensitive data (e.g., user credentials, personal information), modification of database content, or potentially gaining elevated privileges via manipulation of user meta or option tables.

The issue has been fixed in version 3.4.13 of the plugin [1]. Users are strongly advised to update to this patched version immediately. No workarounds are detailed in the available reference.