Description
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'query' parameter in all versions up to, and including, 3.11.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Version 3.11.13 raises the minimum user-level for exploitation to administrator. 3.11.14 fully patches the vulnerability.
Published: 2025-12-02
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Exfiltration via SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The Visualizer plugin for WordPress permits injection of arbitrary SQL through the 'query' parameter due to lacking escaping and failure to prepare existing statements. An authenticated user with Contributor-level access or higher can exploit this flaw to append extra SQL clauses and read sensitive database information. The attack leverages directly user input, bypassing normal query sanitation, which can lead to disclosure of private data.

Affected Systems

WordPress sites running the Visualizer: Tables and Charts Manager plugin version 3.11.12 or older are affected. The vulnerability remains in 3.11.13 unless the user role is elevated to administrator; it is fully addressed in 3.11.14. The plugin is maintained by ThemeIsle.

Risk and Exploitability

The CVSS score of 6.5 rates this flaw as moderate, and the EPSS score of less than 1% indicates low probability of widespread exploitation at present. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires legitimate user access and a web-based interaction that submits data to the vulnerable endpoint. Once exploited, the attacker can retrieve confidential database content. The associated CWE-89 reflects a classic injection weakness.

Generated by OpenCVE AI on April 21, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Visualizer plugin to version 3.11.14 or later to remove the injection vector.
  • If an upgrade cannot be performed immediately, block the 'query' parameter or enforce strict WAF rules to deny injection attempts, and limit Contributor-level users’ access to the plugin’s data tables.
  • Review the database for anomalous queries, rotate any compromised credentials, and audit user roles to ensure only necessary permissions are assigned.

Generated by OpenCVE AI on April 21, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 07 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Dec 2025 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Themeisle
Themeisle visualizer
Wordpress
Wordpress wordpress
Vendors & Products Themeisle
Themeisle visualizer
Wordpress
Wordpress wordpress

Tue, 02 Dec 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'query' parameter in all versions up to, and including, 3.11.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Version 3.11.13 raises the minimum user-level for exploitation to administrator. 3.11.14 fully patches the vulnerability.
Title Visualizer: Tables and Charts Manager for WordPress <= 3.11.12 - Authenticated (Contributor+) SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Themeisle Visualizer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:09:50.361Z

Reserved: 2025-10-29T18:05:54.435Z

Link: CVE-2025-12483

cve-icon Vulnrichment

Updated: 2026-01-07T17:08:56.608Z

cve-icon NVD

Status : Deferred

Published: 2025-12-02T07:15:46.880

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12483

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:00:11Z

Weaknesses