CVE-2025-2011

Published May 6, 2025

Last updated 7 months ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-2011 is a SQL Injection vulnerability found in the Slider & Popup Builder by Depicter plugin for WordPress. It affects versions up to and including 3.6.1. The vulnerability lies in the 's' parameter, where insufficient escaping of user-supplied input and a lack of proper SQL query preparation exist. The vulnerability was discovered and fixed in version 3.6.2, released on May 5, 2025. An unauthenticated attacker could exploit this vulnerability to append additional SQL queries to existing queries. This could allow them to extract sensitive information from the database, potentially exposing confidential data stored in the WordPress database. To mitigate this vulnerability, users should immediately update to version 3.6.2 or later of the Depicter plugin.

Description: The Slider & Popup Builder by Depicter plugin for WordPress is vulnerable to generic SQL Injection via the ‘s' parameter in all versions up to, and including, 3.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source: security@wordfence.com
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Secondary
Base score: 7.5
Impact score: 3.6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity: HIGH

Weaknesses

security@wordfence.com: CWE-89

Hype score: Not currently trending

References