CVE-2025-52822

Vulnerability

Overview

CVE-2025-52822 is a SQL injection vulnerability in the WP Roadmap plugin for WordPress, affecting versions from n/a through 2.1.3. The issue stems from improper neutralization of special elements used in an SQL command, allowing an attacker to inject malicious SQL queries into the database. This type of flaw is commonly exploited in mass campaigns targeting thousands of websites simultaneously [1].

Exploitation

The vulnerability can be exploited without authentication, making it accessible to any remote attacker. By sending specially crafted input to the plugin, an attacker can bypass input sanitization and execute arbitrary SQL statements. The Patchstack advisory highlights that such vulnerabilities are frequently used in automated attacks, regardless of the site's traffic or popularity [1].

Impact

Successful exploitation enables an attacker to directly interact with the underlying database, potentially stealing sensitive information such as user credentials, personal data, or other stored content. The CVSS v3 score of 8.5 (High) reflects the significant risk of data compromise and the low complexity of exploitation [1].

Mitigation

The vendor has released version 2.2.0, which patches the SQL injection flaw. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins to ensure timely protection [1].