CVE-2025-49891

Vulnerability

Overview

The Uxper Booking plugin for WordPress (versions up to and including 1.3.3) contains a blind SQL injection vulnerability due to improper neutralization of special elements used in an SQL command [1]. This flaw allows an attacker to inject arbitrary SQL queries into the database through the plugin's input fields, without needing prior authentication.

Exploitation

The vulnerability is remotely exploitable and does not require any special privileges. Attackers can send crafted HTTP requests to the vulnerable endpoint, injecting SQL commands that are executed blindly. The Patchstack advisory notes that this type of vulnerability is highly dangerous and expected to be used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].

Impact

Successful exploitation enables an attacker to interact directly with the WordPress database. This can lead to the extraction of sensitive information such as user credentials, personal data, and other stored content. The CVSS v3 score of 8.5 (High) reflects the potential for significant data breach and system compromise [1].

Mitigation

Users are strongly advised to update the Uxper Booking plugin to the latest patched version immediately. If an update is not available, contact the plugin vendor or a web developer for assistance. Given the active threat landscape, applying the fix without delay is critical [1].