CVE-2025-68056

Vulnerability

Overview

CVE-2025-68056 describes an SQL injection vulnerability in the WordPress plugin LBG Zoominoutslider, versions up to and including 5.4.4. The plugin fails to properly neutralize special elements used in SQL commands, allowing an attacker to inject arbitrary SQL queries. This is a classic SQL injection flaw (CWE-89) that can be exploited without authentication [1].

Exploitation

The attack vector is network-based and requires no user interaction or elevated privileges. An attacker can send a crafted request to the vulnerable plugin endpoint, the attacker can inject malicious SQL statements. The vulnerability is considered high severity (CVSS 8.5) and is known to be used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].

Impact

Successful exploitation allows a malicious actor to directly interact with the underlying database. This could lead to unauthorized reading of sensitive data (e.g., user credentials, personal information), modification or deletion of database content, and potentially further compromise of the WordPress installation [1].

Mitigation

The vendor has released version 5.4.5 which fixes the vulnerability. Users are strongly advised to update immediately. For those unable to update, contacting the hosting provider or a web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].