Description
The ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages plugin for WordPress is vulnerable to SQL Injection via the export_csv() function in all versions up to, and including, 2.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This may be exploitable by lower level users if access to the plugin is granted.
Published: 2025-09-20
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection exposing sensitive database content
Action: Immediate Patch
AI Analysis

Impact

The ClickWhale WordPress plugin is vulnerable to SQL injection through the export_csv() function because user input is not properly escaped and the query is not prepared. This flaw, classified as CWE‑89, would allow an attacker to append additional SQL statements to the existing query, resulting in extraction of sensitive database information. The vulnerability is exploitable only by authenticated users who have at least Administrator privileges, though it could be leveraged by lower‑level users if the plugin is granted to them.

Affected Systems

The affected product is ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages, a WordPress plugin. Versions up to and including 2.5.0 contain the flaw; versions released after 2.5.0 are not listed as affected.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate severity, but the EPSS score of <1% reflects a very low likelihood that this weakness will be exploited in the wild. The vulnerability is not currently in CISA’s KEV catalog, suggesting that no widespread exploitation is known. Nevertheless, the flaw permits attackers with sufficient authentication to read privileged data, so risk rises if an admin account is compromised or if non‑administrator users are granted plugin access. The attack vector is authenticated access, requiring active logins to the WordPress backend and the use of the export function, which makes public‑remote exploitation impossible.

Generated by OpenCVE AI on April 21, 2026 at 02:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ClickWhale to any release newer than 2.5.0, where the SQL injection is fixed.
  • Restrict the plugin’s functionality to Administrator role users and review role assignments to ensure no lower‑privileged accounts can execute export_csv().
  • Refactor the export_csv() routine to use prepared statements or parameterized queries and sanitize all user‑supplied input to eliminate any remaining SQL injection risk.

Generated by OpenCVE AI on April 21, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30310 The ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages plugin for WordPress is vulnerable to SQL Injection via the export_csv() function in all versions up to, and including, 2.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This may be exploitable by lower level users if access to the plugin is granted.
History

Mon, 22 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Flowdee
Flowdee clickwhale
Wordpress
Wordpress wordpress
Vendors & Products Flowdee
Flowdee clickwhale
Wordpress
Wordpress wordpress

Sat, 20 Sep 2025 04:45:00 +0000

Type Values Removed Values Added
Description The ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages plugin for WordPress is vulnerable to SQL Injection via the export_csv() function in all versions up to, and including, 2.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This may be exploitable by lower level users if access to the plugin is granted.
Title ClickWhale <= 2.5.0 - Authenticated (Admin+) SQL injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Flowdee Clickwhale
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:28.527Z

Reserved: 2025-09-04T18:21:57.134Z

Link: CVE-2025-10002

cve-icon Vulnrichment

Updated: 2025-09-22T15:06:43.763Z

cve-icon NVD

Status : Deferred

Published: 2025-09-20T05:15:34.607

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10002

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:00:06Z

Weaknesses