CVE-2025-49402

The Exertio Framework plugin for WordPress, versions up to and including 1.3.3, contains a blind SQL injection vulnerability due to improper neutralization of special elements used in SQL commands. This flaw arises when user-supplied input is directly incorporated into database queries without adequate sanitization or parameterization, enabling an attacker to manipulate the query structure.

Exploitation does not require authentication; an attacker can send specially crafted HTTP requests to the vulnerable endpoint, triggering blind SQL injection. This allows the attacker to infer information from the database by observing the application's response behavior, such as timing differences or error messages. The attack is remotely exploitable and can be performed without any prior access to the site.

Successful exploitation can lead to unauthorized extraction of sensitive data stored in the WordPress database, including user credentials, personal information, and other confidential records. The CVSS v3 base score of 8.5 reflects the high severity and potential for widespread abuse, as noted in the Patchstack advisory [1].

As an immediate mitigation, users should update the Exertio Framework plugin to the latest available version. If a patched version is not available, it is recommended to disable or remove the plugin and consult with a security professional or hosting provider for further assistance [1].