CVE-2025-39370

The iCafe Library plugin for WordPress (versions up to and including 1.8.3) contains an SQL injection vulnerability due to improper neutralization of special elements used in SQL commands [1]. This flaw allows an attacker to inject arbitrary SQL queries into the application's database layer, bypassing intended input validation.

Exploitation does not require authentication, making it accessible to any remote attacker. The vulnerability is actively targeted in mass-exploit campaigns, where attackers scan for vulnerable installations and inject malicious SQL payloads [1]. No special network position is needed; the attack can be carried out over HTTP requests to the WordPress site.

Successful exploitation enables an attacker to directly interact with the underlying database, potentially extracting sensitive information such as user credentials, personal data, or other stored content [1]. The CVSS v3 score of 7.6 reflects the high impact on confidentiality and the low complexity of the attack.

As a mitigation, users should immediately update the iCafe Library plugin to a version newer than 1.8.3, which contains a fix for this vulnerability [1]. If an update is not possible, contacting the hosting provider or a web developer for assistance is recommended.