Description
The Specific Content For Mobile – Customize the mobile version without redirections plugin for WordPress is vulnerable to SQL Injection via the eos_scfm_duplicate_post_as_draft() function in all versions up to, and including, 0.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with COntributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-11-12
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated SQL Injection
Action: Update Plugin
AI Analysis

Impact

The "Specific Content For Mobile – Customize the mobile version without redirections" WordPress plugin is susceptible to a SQL Injection flaw caused by improper escaping and lack of query preparation in the eos_scfm_duplicate_post_as_draft() function. The vulnerability allows users with Contributor or higher roles to append malicious SQL statements to existing queries, enabling extraction of sensitive database information. This is a classic input validation weakness identified as CWE‑89.

Affected Systems

All installations of the "Specific Content For Mobile – Customize the mobile version without redirections" plugin with version 0.5.5 or earlier are affected. The plugin is distributed by the vendor giuse and integrates into WordPress sites.

Risk and Exploitability

The CVSS score for this issue is 6.5. The EPSS indicates a very low but non‑zero likelihood of exploitation, currently less than 1%. It is not listed in CISA’s KEV catalog. Attackers need authenticated access with at least Contributor privileges, so the attack vector is internal; an adversary who gains legitimate contributor access can use the injection to read database contents.

Generated by OpenCVE AI on April 22, 2026 at 12:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the "Specific Content For Mobile – Customize the mobile version without redirections" plugin to the latest release that addresses the SQL injection flaw (version higher than 0.5.5).
  • If an immediate upgrade is not feasible, remove the plugin from the WordPress installation or disable it until a patch is applied.
  • Limit Contributor‑level access to trusted users only or use a role‑management plugin to restrict contributor privileges that grant database access.

Generated by OpenCVE AI on April 22, 2026 at 12:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 12 Nov 2025 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 12 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 11:15:00 +0000

Type Values Removed Values Added
Description The Specific Content For Mobile – Customize the mobile version without redirections plugin for WordPress is vulnerable to SQL Injection via the eos_scfm_duplicate_post_as_draft() function in all versions up to, and including, 0.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with COntributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Specific Content For Mobile – Customize the mobile version without redirections <= 0.5.5 - Authenticated (Contributor+) SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:59:49.160Z

Reserved: 2025-10-07T17:29:17.585Z

Link: CVE-2025-11454

cve-icon Vulnrichment

Updated: 2025-11-12T14:15:32.584Z

cve-icon NVD

Status : Deferred

Published: 2025-11-12T11:15:38.463

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11454

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:30:16Z

Weaknesses