CVE-2025-22527

Vulnerability

Overview

The Mailing Group Listserv plugin for WordPress (wp-mailing-group) contains a SQL injection vulnerability due to improper neutralization of special elements used in SQL commands. Versions from n/a through 2.0.9 are affected. This flaw allows an attacker to inject malicious SQL queries into the application's database interactions [1].

Exploitation

Attackers can exploit this vulnerability without authentication by sending specially crafted HTTP requests to any WordPress site running the vulnerable plugin. The reference notes that such vulnerabilities are frequently used in mass-exploit campaigns, targeting thousands of websites regardless of size or popularity [1]. No special network position is required; the attack can be carried out remotely.

Impact

Successful exploitation enables an attacker to directly interact with the database, potentially extracting sensitive information such as user credentials, personal data, or other stored content. This could lead to further compromise of the site and its users [1].

Mitigation

The vendor has released version 3.0.0 which resolves the vulnerability. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, consulting a hosting provider or web developer is recommended [1].