CVE-2025-67519

Vulnerability

CVE-2025-67519 is an Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) in the WordPress plugin Ninja Tables. The flaw exists in versions up to and including 5.2.3, where user-supplied input is not properly sanitized before being used in a database query. This enables an attacker to inject arbitrary SQL statements into the underlying query [1].

Exploitation

The attack does not require authentication, making it exploitable by any remote visitor. By crafting malicious input to vulnerable parameters, an attacker can manipulate SQL queries executed by the plugin. The official advisory notes that such vulnerabilities are frequently used in mass-exploit campaigns targeting thousands of WordPress sites simultaneously, regardless of site popularity or traffic [1].

Impact

Successful exploitation allows a malicious actor to directly interact with the WordPress database. This includes the ability to steal sensitive information such as user credentials, personal data, and site content. The CVSS score of 7.6 (High) reflects the potential for significant confidentiality impact [1].

Mitigation

The vendor has released version 5.2.4 which fixes the SQL injection. Immediate update to this version is the recommended remediation. For Patchstack users, auto-update for vulnerable plugins can be enabled. No workaround other than upgrading has been provided [1].