CVE-2025-25112

The Social Links plugin for WordPress (version 1.2 and earlier) contains an SQL injection vulnerability due to improper neutralization of special elements used in SQL commands [1]. This flaw allows an attacker to inject arbitrary SQL statements into the database query, potentially leading to command line execution on the underlying database server.

Exploitation does not require authentication; an attacker can send crafted HTTP requests to the plugin's endpoints to trigger the injection. No special privileges or network position beyond standard web access is needed, making the attack surface broad and accessible to remote unauthenticated users.

Successful exploitation can result in command line execution, enabling the attacker to extract sensitive data, modify database contents, or execute system commands. The advisory notes that vulnerabilities of this type are frequently used in mass-exploit campaigns targeting thousands of websites [1].

Users are strongly advised to update the plugin to a patched version as soon as possible. If an update is not available, contacting the hosting provider or a web developer for mitigation assistance is recommended [1].