CVE-2025-68053
Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup xPromoter top_bar_promoter allows Blind SQL Injection.This issue affects xPromoter: from n/a through <= 1.3.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A blind SQL injection vulnerability in the xPromoter WordPress plugin allows unauthenticated attackers to extract database content.
The xPromoter WordPress plugin, which provides promotional bar functionality, is vulnerable to SQL injection through the top_bar_promoter parameter. The root cause is improper neutralization of special elements used in an SQL command, enabling blind SQL injection attacks [1]. Affected versions are from n/a through 1.3.4.
Exploitation does not require authentication, making it particularly dangerous for mass exploitation campaigns. An attacker can inject malicious SQL queries without needing prior access to the site, leveraging the vulnerable parameter to interact with the database in a blind manner [1].
A successful exploit could allow a malicious actor to directly interact with the database, including stealing sensitive information such as user credentials or personal data. The impact is rated as High with a CVSS v3 score of 8.5 [1].
The vulnerability has been patched in version 1.3.5. Users are advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. For those unable to update, consulting a hosting provider or web developer is recommended [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.3.4
- Range: <=1.3.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.