CVE-2025-67518

Vulnerability

Overview

The Accordion Slider PRO WordPress plugin, up to version 1.2, suffers from a blind SQL injection vulnerability stemming from improper neutralization of special elements used in an SQL command [1]. This flaw allows an attacker to injectors to pass arbitrary SQL statements through unsanitized input fields, enabling unfettered access to the underlying database [1].

Exploitation and

Attack Surface

Exploitation requires no authentication, making the attack surface broad and accessible to unauthenticated remote attackers [1]. The vulnerable parameter is not explicitly disclosed, but the flaw is classified as a classic blind SQL injection, meaning an attacker can infer database contents through true/false responses or time delays [1]. The plugin's widespread use makes it a target for mass-exploit campaigns [1].

Impact

A successful attacker can directly interact with the database, leading to data theft (sensitive user information, credentials, site configuration) and potential lateral movement within the hosting environment [1]. The CVSS v3 score of 8.5 (High) reflects the high confidentiality and integrity impact without requiring user interaction or privileges [1].

Mitigation

The vendor has released version 1.3 which patches the vulnerability [1]. Users are strongly advised to update immediately or enable auto-updates for vulnerable plugins via Patchstack [1]. For those unable to update, consulting a hosting provider or developer is recommended as a workaround [1].