CVE-2025-48278

Vulnerability

Overview

CVE-2025-48278 is an SQL injection vulnerability in the WordPress RSVPMarker plugin (versions through 11.5.6). The issue stems from improper neutralization of special elements used in an SQL command, allowing attackers to inject malicious SQL statements. This class of vulnerability is frequently exploited in mass campaigns targeting thousands of websites regardless of size or popularity [1].

Attack

Vector and Exploitation

The vulnerability can be exploited without authentication, making it accessible to any remote attacker. By crafting specially crafted input to vulnerable parameters, an attacker can break out of the intended SQL query context. No special network position is required beyond standard web access to a site running the vulnerable plugin [1].

Impact

Successful exploitation allows an attacker to directly interact with the database. This includes reading, modifying, or deleting sensitive data such as user credentials, personal information, and site configuration. The CVSS v3 score of 8.5 (High) reflects the severe confidentiality and integrity impact [1].

Mitigation

The vendor has released version 11.5.7 which patches the vulnerability. Immediate update to this version is strongly recommended. Sites unable to update immediately should consult their hosting provider or web developer for assistance. Patchstack users can enable auto-updates for vulnerable plugins [1].