Description
The Robcore Netatmo plugin for WordPress is vulnerable to SQL Injection via the ‘module_id’ attribute of the robcore-netatmo shortcode in all versions up to, and including, 1.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-09-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Apply Patch
AI Analysis

Impact

The Robcore Netatmo WordPress plugin contains a flaw that allows an authenticated user with Contributor privileges or higher to inject arbitrary SQL code through the module_id attribute of the robcore-netatmo shortcode. By supplying crafted input, the attacker can append additional SQL statements to the existing query, enabling the extraction of sensitive information from the WordPress database.

Affected Systems

All installations of the Robcore Netatmo plugin with versions 1.7 and earlier are impacted. The vulnerability resides in the code that processes the robcore-netatmo shortcode, specifically the handling of the module_id parameter.

Risk and Exploitability

The CVSS score of 6.5 reflects a moderate severity impact. Because the exploit requires a WordPress account with Contributor-level or higher permissions, the potential attacker pool is limited to users with sufficient site privileges. The EPSS score of <1% indicates a low probability of exploitation across the general ecosystem, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread attacks have been reported. An attacker would need to supply malicious input within the shortcode, which could be detected through monitoring of database queries or by applying defensive filtering.

Generated by OpenCVE AI on April 21, 2026 at 19:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Robcore Netatmo plugin to the latest version that addresses the module_id escaping flaw
  • If an immediate update is unavailable, restrict or disable the robcore-netatmo shortcode for users with Contributor or higher roles, or remove the plugin from the site until the issue is patched
  • Configure a web application firewall or custom input validation to reject suspicious SQL patterns in the module_id parameter

Generated by OpenCVE AI on April 21, 2026 at 19:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30322 The Robcore Netatmo plugin for WordPress is vulnerable to SQL Injection via the ‘module_id’ attribute of the robcore-netatmo shortcode in all versions up to, and including, 1.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Mon, 22 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 20 Sep 2025 02:15:00 +0000

Type Values Removed Values Added
Description The Robcore Netatmo plugin for WordPress is vulnerable to SQL Injection via the ‘module_id’ attribute of the robcore-netatmo shortcode in all versions up to, and including, 1.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Robcore Netatmo <= 1.7 - Authenticated (Contributor+) SQL Injection via robcore-netatmo Shortcode
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:31:27.783Z

Reserved: 2025-09-17T19:13:13.559Z

Link: CVE-2025-10652

cve-icon Vulnrichment

Updated: 2025-09-22T15:13:12.507Z

cve-icon NVD

Status : Deferred

Published: 2025-09-20T02:15:36.750

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10652

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:15:26Z

Weaknesses