CVE-2025-52819

Vulnerability

Overview

The Pakke Envíos WordPress plugin (versions up to and including 1.0.2) contains an SQL Injection vulnerability due to improper neutralization of special elements used in an SQL command [1]. This flaw arises when user-supplied input is directly incorporated into database queries without adequate sanitization or parameterization, enabling an attacker to manipulate the query structure.

Exploitation

Details

Exploitation does not require authentication, as the vulnerable endpoint is accessible to unauthenticated users [1]. An attacker can send crafted HTTP requests containing malicious SQL payloads to the plugin's input fields. No special network position is needed; the attack can be performed remotely over the internet. The vulnerability is considered highly dangerous and is expected to be targeted in mass-exploit campaigns against thousands of WordPress sites [1].

Impact

Successful exploitation allows an attacker to directly interact with the underlying database [1]. This can lead to unauthorized reading of sensitive data (e.g., user credentials, personal information), modification or deletion of database contents, and in some cases, escalation to further server compromise. The CVSS v3 base score of 8.5 (High) reflects the significant potential for data breach and system disruption.

Mitigation

The vendor has not yet released a patched version; users are urged to update the plugin as soon as a fix becomes available [1]. As an immediate workaround, site administrators should disable the plugin or implement web application firewall (WAF) rules to block SQL injection attempts. Given the active threat landscape, prompt action is recommended.