Description
The VR-Frases (collect & share quotes) plugin for WordPress is vulnerable to SQL Injection via several parameters in all versions up to, and including, 3.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-01-30
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Assess Impact
AI Analysis

Impact

The VR‑Frases plugin for WordPress suffers from SQL Injection in several parameters because user input is not properly escaped and existing queries are not prepared. The flaw allows an attacker to append arbitrary SQL statements to the constructed query, enabling them to retrieve any data stored in the MySQL database attached to the WordPress site. This can expose sensitive information such as user credentials, post metadata, and other confidential content, thereby compromising the confidentiality and integrity of the entire installation.

Affected Systems

The vulnerability affects all releases of vruizg:VR‑Frases up to and including version 3.0.1. Any WordPress website running one of these plugin versions is susceptible unless a newer, patched release is deployed.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate severity, while the EPSS score of less than 1 % suggests a very low but non‑zero probability of exploitation at the time of analysis. The flaw is listed as a classic SQL Injection (CWE‑89) and is not currently in CISA’s KEV catalog. Based on the description, the attack can be carried out by submitting malicious data through the plugin’s input endpoints without needing prior authentication, thereby allowing unauthenticated users to cause data extraction attacks. The exploit path requires sending a crafted HTTP request that includes the vulnerable parameter, which the plugin processes and concatenates into an SQL query without sanitization.

Generated by OpenCVE AI on April 28, 2026 at 03:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the VR‑Frases plugin to a version newer than 3.0.1 when a patch is released.
  • As an interim measure, deactivate or remove the plugin to eliminate the attack surface.
  • If the plugin must remain active, configure a web application firewall or input validation rule to detect and block malicious SQL payloads targeting VR‑Frases endpoints.

Generated by OpenCVE AI on April 28, 2026 at 03:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1901 The VR-Frases (collect & share quotes) plugin for WordPress is vulnerable to SQL Injection via several parameters in all versions up to, and including, 3.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
References

Fri, 31 Jan 2025 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Vruiz
Vruiz vr-frases
CPEs cpe:2.3:a:vruiz:vr-frases:*:*:*:*:*:*:*:*
Vendors & Products Vruiz
Vruiz vr-frases

Thu, 30 Jan 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Jan 2025 09:30:00 +0000

Type Values Removed Values Added
Description The VR-Frases (collect & share quotes) plugin for WordPress is vulnerable to SQL Injection via several parameters in all versions up to, and including, 3.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title VR-Frases (collect & share quotes) <= 3.0.1 - Authenticated (Admin+) SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Vruiz Vr-frases
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:40:39.670Z

Reserved: 2025-01-29T21:18:03.503Z

Link: CVE-2025-0861

cve-icon Vulnrichment

Updated: 2025-01-30T15:01:37.764Z

cve-icon NVD

Status : Modified

Published: 2025-01-30T10:15:08.907

Modified: 2026-04-08T17:19:54.367

Link: CVE-2025-0861

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T03:45:20Z

Weaknesses