CVE-2025-46463

The WordPress Mailing Group Listserv plugin (wp-mailing-group) versions through 3.0.4 fail to properly neutralize special elements used in SQL commands. This classic SQL injection vulnerability stems from the lack of input validation or sanitization when handling user-supplied data, allowing an attacker to inject arbitrary SQL queries into the application's database statements [1].

Exploitation

No authentication is required to exploit this flaw. An attacker can craft malicious HTTP requests to the vulnerable endpoint, injecting SQL commands that will be executed by the WordPress database. Because the plugin does not sanitize the input, the attack surface is broad and can be automated for mass exploitation against any site running the affected version [1].

Impact

Successful exploitation enables an attacker to read, modify, or delete database contents. This could lead to the exfiltration of sensitive data such as user credentials, personal information, or other stored WordPress data. Given the severity (CVSS 8.5) and the plugin's nature, this vulnerability is considered highly dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The vulnerability has been patched in version 3.0.5 of the plugin. Users are strongly advised to update immediately. For those unable to update, Patchstack has issued a mitigation rule that blocks attack attempts until an update can be applied [1].