CVE-2025-68990
Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in xenioushk BWL Pro Voting Manager bwl-pro-voting-manager allows Blind SQL Injection.This issue affects BWL Pro Voting Manager: from n/a through <= 1.4.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Blind SQL Injection in BWL Pro Voting Manager plugin allows unauthenticated attackers to extract sensitive data from WordPress databases.
The BWL Pro Voting Manager plugin for WordPress, up to version 1.4.9, fails to properly neutralize special elements in SQL commands, leading to a blind SQL injection vulnerability. This occurs because user-supplied input is directly incorporated into SQL queries without adequate sanitization or parameterization [1].
Attackers can exploit this vulnerability by sending crafted HTTP requests to the plugin's voting-related endpoints. No authentication is required, making it accessible to remote, unauthenticated attackers. The blind nature of the injection means attackers can infer information through boolean-based or time-based responses [1].
Successful exploitation allows an attacker to interact with the underlying database, enabling them to retrieve sensitive information such as usernames, password hashes, and other user data. The vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites [1].
As an immediate mitigation, users should update the BWL Pro Voting Manager plugin to version 1.5.0 or later. If updating is not possible, consider temporarily disabling the plugin and consulting a web developer for assistance [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.4.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.