CVE-2025-47671

The Binary MLM Plan plugin for WordPress, versions 3.0 and earlier, contains a SQL injection vulnerability due to improper neutralization of special elements used in an SQL command [1]. This type of flaw occurs when user-supplied data is directly concatenated into SQL queries without proper sanitization or parameterization, allowing an attacker to manipulate the intended query logic.

Exploitation requires no authentication; the attacker only needs network access to the WordPress site. By crafting malicious input in a parameter that feeds into a SQL query, the attacker can inject arbitrary SQL commands [1]. The vulnerability is considered highly dangerous and is expected to be used in mass-exploit campaigns, targeting thousands of sites automatically, regardless of their size or popularity [1].

The impact is severe: a successful attack could allow the malicious actor to directly interact with the database, enabling theft of sensitive information such as user credentials, personal data, and site content [1]. Attackers might also be able to modify or delete data, compromise the entire WordPress installation, or gain further access to the server.

As of the advisory, the vulnerability has been patched in version 5.0 of the plugin. Users are strongly urged to update immediately. For those unable to update, applying a virtual patch or mitigation rule, such as the one provided by Patchstack, can block attacks until the update is performed [1]. No other workarounds have been documented.