CVE-2025-28967

Vulnerability

Overview

CVE-2025-28967 is a SQL Injection vulnerability discovered in the WordPress plugin "Contact Us page – Contact people LITE," affecting all versions up to and including 3.7.4. The flaw stems from improper neutralization of special elements used in an SQL command, allowing an attacker to inject arbitrary SQL statements into backend queries [1].

Exploitation

The vulnerability can be exploited without authentication, making it accessible to any remote attacker. By sending crafted input to the plugin’s contact form or other user-facing fields, the attacker can bypass the intended filtering and execute malicious SQL commands against the underlying database [1].

Impact

Successful exploitation could lead to unauthorized access, extraction, or manipulation of sensitive data stored in the WordPress database, such as user credentials, personal information, or site configuration. Given the severity (CVSS 8.5), this represents a critical risk to site integrity and confidentiality [1].

Mitigation

The vendor has released a patched version (3.7.5 or later) to address the issue. Site administrators are strongly advised to update the plugin immediately. If updating is not possible, contacting the hosting provider or web developer for assistance is recommended [1].