CVE-2025-62093

Vulnerability

Overview

The LambertGroup Image&Video FullScreen Background plugin for WordPress (versions up to and including 1.6.7) contains a SQL injection vulnerability due to improper neutralization of special elements used in an SQL command. This flaw exists in the lbg_fullscreen_fullwidth_slider component, where user-supplied input is not properly sanitized before being used in database queries [1].

Exploitation

An attacker can exploit this vulnerability without requiring authentication, making it accessible to any remote user. The attack vector is network-based, and the low complexity of exploitation means that automated tools can easily target vulnerable installations. This type of vulnerability is frequently used in mass-exploit campaigns against WordPress sites, regardless of their size or popularity [1].

Impact

Successful exploitation allows an attacker to directly interacting with the underlying database, which could lead to data theft, modification, deletion, or exfiltration. An attacker could potentially steal sensitive information such as user credentials, personal data, or other stored content, or other database records. The CVSS v3 score of 8.5 (High) reflects the significant confidentiality and integrity impact [1].

Mitigation

Users are strongly advised to update the plugin to a patched version 1.6.8 or later as soon as possible. If an immediate update is not feasible, site owners should contact their hosting provider or a web developer for assistance. No workarounds have been published, and the vendor has not indicated that older versions will receive a patch [1].