Description
The Find Me On WordPress plugin through 2.0.9.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing subscribers and above to perform SQL injection attacks
Published: 2025-10-08
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Apply Patch
AI Analysis

Impact

The Find Me On WordPress plugin, versions up to 2.0.9.1, contains a flaw that fails to sanitize and escape a user‑supplied parameter before it is incorporated into a SQL statement. This omission allows any authenticated user with the Subscriber role or higher to inject arbitrary SQL into backend queries. The vulnerability is a classic example of CWE‑89 (SQL Injection) and could enable the attacker to read, modify, or delete data in the WordPress database, potentially compromising user data and site integrity.

Affected Systems

Any WordPress site that has the Find Me On plugin installed and is running a version ≤ 2.0.9.1 is impacted. The plugin is distributed under an unknown vendor, so all installations using this plugin version are at risk. The flaw is only exploitable by accounts that already exist on the site, so ordinary visitors who cannot authenticate are not directly affected unless additional misconfigurations allow anonymous access to the relevant endpoints.

Risk and Exploitability

With a CVSS score of 7.7, the flaw is considered high severity. The EPSS metrics show a probability of exploitation of less than 1 % and the vulnerability is not listed in the CISA KEV catalog, indicating no known active exploits. Nevertheless, because the attack requires only subscriber‑level access—roles commonly assigned to regular users—the potential for exploitation is significant. Administrators should treat this as a high‑priority issue and act promptly to mitigate the risk.

Generated by OpenCVE AI on April 28, 2026 at 10:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Find Me On plugin to the latest version; if the plugin has not yet been updated, consider disabling it entirely or removing it from the site.
  • If the plugin must remain in use, limit the database user’s permissions to SELECT only on the tables accessed by the plugin to minimize potential damage from an injection.
  • Restrict access to the plugin’s functionality by applying role‑based access controls, ensuring only administrators can interact with endpoints that accept user input.
  • Monitor the WordPress logs for unusual SQL query activity or error messages that may indicate an attempt to exploit the flaw.

Generated by OpenCVE AI on April 28, 2026 at 10:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 11:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89

Thu, 09 Oct 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 08 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Oct 2025 06:15:00 +0000

Type Values Removed Values Added
Description The Find Me On WordPress plugin through 2.0.9.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing subscribers and above to perform SQL injection attacks
Title Find Me On <= 2.0.9.1 - Subscriber+ SQL Injection
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-02T12:39:50.356Z

Reserved: 2025-09-17T13:13:58.985Z

Link: CVE-2025-10635

cve-icon Vulnrichment

Updated: 2025-10-08T14:17:52.105Z

cve-icon NVD

Status : Deferred

Published: 2025-10-08T06:15:33.527

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10635

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:45:29Z

Weaknesses