Description
The attention-bar WordPress plugin through 0.7.2.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users such as administrator to perform SQL injection attacks
Published: 2025-11-20
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Apply Update
AI Analysis

Impact

The Attention Bar WordPress plugin does not sanitize and escape a user supplied parameter before it is used in a SQL statement. This omission allows administrators, who have high level privileges on the site, to inject arbitrary SQL code. As a result, an attacker with admin access can read, modify or delete data stored in the WordPress database, potentially compromising the confidentiality, integrity and availability of the site.

Affected Systems

WordPress installations that use the Attention Bar plugin version 0.7.2.1 or earlier are affected. The plugin is distributed under the Unknown:attention-bar vendor ID, so any site that has installed or upgraded to the affected version is at risk.

Risk and Exploitability

The CVSS score of 6.8 classifies this vulnerability as moderate severity, and the EPSS score of less than 1 percent suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated administrators to exploit the flaw, so the attack vector is limited to privileged users of the site. However, once executed, the injected SQL commands can give the attacker full control over the plugin’s database data.

Generated by OpenCVE AI on April 28, 2026 at 10:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Attention Bar plugin to the latest available version that addresses this vulnerability.
  • If an immediate update is not feasible, temporarily disable the Attention Bar plugin to block the vulnerable functionality.
  • Deploy a web application firewall or implement input validation to block potential SQL injection attempts against remaining admin‑only endpoints.

Generated by OpenCVE AI on April 28, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89

Fri, 21 Nov 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 20 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 20 Nov 2025 06:15:00 +0000

Type Values Removed Values Added
Description The attention-bar WordPress plugin through 0.7.2.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users such as administrator to perform SQL injection attacks
Title Attention Bar <= 0.7.2.1 - Admin+ SQLi
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-02T12:39:51.836Z

Reserved: 2025-10-30T09:01:05.379Z

Link: CVE-2025-12502

cve-icon Vulnrichment

Updated: 2025-11-20T14:32:41.652Z

cve-icon NVD

Status : Deferred

Published: 2025-11-20T15:17:23.230

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12502

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:30:29Z

Weaknesses