Description
The db-access WordPress plugin through 0.8.7 does not have authorization in an AJAX action, allowing any authenticated users, such as subscriber to perform SQLI attacks
Published: 2025-12-02
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Patch Immediately
AI Analysis

Impact

The db-access WordPress plugin through version 0.8.7 has a missing authorization check in an AJAX action. This flaw allows any authenticated user—including users with subscriber privileges—to inject arbitrary SQL statements via the vulnerable endpoint. An attacker can therefore read, modify, or delete sensitive data stored in the WordPress database, compromising data confidentiality and integrity.

Affected Systems

WordPress sites using the db-access plugin version 0.8.7 or earlier are affected. The specific product is listed as db-access under the vendor identifier Unknown:db-access. No other vendors or products are reported as impacted.

Risk and Exploitability

The CVSS score of 7.7 classifies the vulnerability as high severity. The EPSS score of less than 1% indicates that actual exploitation is currently unlikely, and the issue is not listed in CISA’s KEV catalog. The attack vector is limited to authenticated users, meaning the attacker only needs to obtain or already possess legitimate account credentials. Once authenticated, they can exploit the flaw to execute SQL commands, leading to potential data exfiltration or unauthorized data modification.

Generated by OpenCVE AI on April 27, 2026 at 22:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the db-access plugin to a version newer than 0.8.7 to obtain the vendor‑supplied fix.
  • If upgrading is not immediately possible, restrict the plugin’s AJAX endpoint so that only administrators can access it.
  • After applying a patch or restriction, conduct a verification of the authorization checks in the AJAX action to ensure the vulnerability is fully remediated.

Generated by OpenCVE AI on April 27, 2026 at 22:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Jimbob1953
Jimbob1953 db-access
Weaknesses CWE-89
CPEs cpe:2.3:a:jimbob1953:db-access:*:*:*:*:*:wordpress:*:*
Vendors & Products Jimbob1953
Jimbob1953 db-access

Thu, 04 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 02 Dec 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Dec 2025 06:15:00 +0000

Type Values Removed Values Added
Description The db-access WordPress plugin through 0.8.7 does not have authorization in an AJAX action, allowing any authenticated users, such as subscriber to perform SQLI attacks
Title DB Access <= 0.8.7 - Subscriber+ SQLi
References

Subscriptions

Jimbob1953 Db-access
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-02T12:39:53.352Z

Reserved: 2025-11-11T12:40:10.430Z

Link: CVE-2025-13000

cve-icon Vulnrichment

Updated: 2025-12-02T13:34:38.611Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-02T06:15:45.160

Modified: 2026-01-30T20:42:11.060

Link: CVE-2025-13000

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:45:15Z

Weaknesses