CVE-2025-67520

The Media Library Tools plugin for WordPress, versions 1.6.15 and earlier, contains an SQL injection vulnerability due to improper neutralization of special elements used in an SQL command. This flaw allows an attacker to inject malicious SQL queries through unsanitized input fields.

Exploitation does not require authentication, making the attack surface broad. An attacker can send crafted requests to the vulnerable plugin, bypassing input validation and executing arbitrary SQL commands against the WordPress database. This type of vulnerability is often leveraged in mass-exploit campaigns targeting multiple websites simultaneously [1].

The impact is severe: a successful exploit could allow an attacker to extract sensitive information from the database, modify or delete data, and potentially gain further access to the site. The CVSS v3 score of 7.6 reflects the high potential for data compromise and system disruption [1].

The vendor has released version 1.7.0 to patch the vulnerability. Users are strongly advised to update immediately. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-update for affected plugins [1].