Description
The Legoeso PDF Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘checkedVals’ parameter in all versions up to, and including, 1.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-02-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorized SQL Injection enabling extraction of sensitive database information
Action: Apply Patch
AI Analysis

Impact

The Legoeso PDF Manager plugin for WordPress contains a time‑based SQL injection flaw in the checkedVals parameter in all versions up to 1.2.2. Because the input is not properly escaped and the SQL query is built without sufficient preparation, an attacker who has Author‑level or higher permissions can append arbitrary SQL statements to the original query. This allows extraction of sensitive information from the database, such as user credentials, site content, and other confidential data controlled by the WordPress installation.

Affected Systems

WordPress sites that have the Legoeso PDF Manager plugin installed at version 1.2.2 or earlier. Any user with Author or higher privileges on the site can exploit the flaw. The vendor announced the fix in later releases, so administrators should verify their plugin version against the affected range.

Risk and Exploitability

The CVSS base score of 6.5 indicates a medium severity vulnerability, while the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog and it requires authenticated access to the WordPress admin interface. Attackers would need to be able to log in with an Author‑level account and then craft a request targeting the checkedVals parameter, which is typically part of the plugin’s internal administration pages. Because the attacker must already have sufficient privileges, the overall risk is limited but still non‑negligible, especially for sites with large numbers of Authors or where the database contains highly sensitive content.

Generated by OpenCVE AI on April 22, 2026 at 13:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Legoeso PDF Manager plugin to version 1.2.3 or later, which removes the vulnerability.
  • If the plugin cannot be upgraded immediately, restrict Author+ user roles from modifying PDF documents or disable the checkedVals functionality via role restrictions.
  • If disabling the functionality is not possible, consider removing the plugin entirely until a fixed version is released.

Generated by OpenCVE AI on April 22, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4612 The Legoeso PDF Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘checkedVals’ parameter in all versions up to, and including, 1.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Tue, 25 Feb 2025 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Legoeso
Legoeso pdf Manager
CPEs cpe:2.3:a:legoeso:pdf_manager:*:*:*:*:*:wordpress:*:*
Vendors & Products Legoeso
Legoeso pdf Manager

Thu, 20 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 20 Feb 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Legoeso PDF Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘checkedVals’ parameter in all versions up to, and including, 1.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Legoeso PDF Manager <= 1.2.2 - Authenticated (Author+) SQL Injection via checkedVals Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Legoeso Pdf Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:11.095Z

Reserved: 2025-01-29T22:54:27.229Z

Link: CVE-2025-0866

cve-icon Vulnrichment

Updated: 2025-02-20T15:36:59.046Z

cve-icon NVD

Status : Analyzed

Published: 2025-02-20T10:15:11.980

Modified: 2025-02-25T18:18:49.543

Link: CVE-2025-0866

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:30:17Z

Weaknesses