CVE-2025-1323 - Vulnerability Details

- WP-Recall – Registration, Profile, Commerce & More <= 16.26.10 - Unauthenticated SQL Injection

Description

The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to SQL Injection via the 'databeat' parameter in all versions up to, and including, 16.26.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Published: 2025-03-08

Score: 7.5 High

EPSS: 25.8% Moderate

KEV: No

Impact:

Action:

Analysis

Impact

The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to SQL injection through the 'databeat' parameter because user supplied input is not properly escaped and the query is not prepared. Attackers can append additional SQL statements to the existing query, enabling them to read sensitive data from the database. This vulnerability is an instance of CWE-89 and results in potential loss of confidentiality for the data stored in the WordPress database.

Affected Systems

WordPress sites using the WP-Recall – Registration, Profile, Commerce & More plugin, versions 16.26.10 and earlier, are affected by this flaw.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, and the EPSS score of 26% suggests a moderate likelihood of exploitation. Because the attack vector is unauthenticated, an attacker does not need credentials to exploit the flaw, meaning the vulnerability could be used to compromise any site that has not updated the plugin. The vulnerability is not listed in the CISA KEV catalog, so no publicly known exploit has been catalogued yet, but the moderate EPSS indicates that exploitation could occur at some point.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

wppost

WP-Recall – Registration, Profile, Commerce & More

unaffected

Version	Status	Constraints
`0`	affected	≤ 16.26.10

Configuration 1 [-]

cpe:2.3:a:plechevandrey:wp-recall:*:*:*:*:*:wordpress:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the WP-Recall plugin to the latest version (16.26.11 or later) to remove the vulnerable code.
If an update cannot be applied immediately, restrict access to the endpoint that exposes the 'databeat' parameter—e.g., block the URL via a firewall or make it require authenticated access only.
Continuously monitor web server logs and database access for signs of SQL injection attempts and investigate any suspicious activity.

Generated by OpenCVE AI on April 22, 2026 at 01:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.25823.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3250094/wp-recall/trunk/add-on/rcl-chat/core.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/ae5b4d81-c2f1-4d0d-b7b0-5556bf0451f5?source=cve

History

Wed, 12 Mar 2025 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Plechevandrey Plechevandrey wp-recall
CPEs		cpe:2.3:a:plechevandrey:wp-recall::::::wordpress::*
Vendors & Products		Plechevandrey Plechevandrey wp-recall

Tue, 11 Mar 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sat, 08 Mar 2025 09:30:00 +0000

Type	Values Removed	Values Added
Description		The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to SQL Injection via the 'databeat' parameter in all versions up to, and including, 16.26.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title		WP-Recall – Registration, Profile, Commerce & More <= 16.26.10 - Unauthenticated SQL Injection
Weaknesses		CWE-89
References		https://plugins.trac.wordpress.org/changeset/3250094/wp-recall/trunk/add-on/rcl-chat/core.php https://www.wordfence.com/threat-intel/vulnerabilities/id/ae5b4d81-c2f1-4d0d-b7b0-5556bf0451f5?source=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Plechevandrey Wp-recall

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-03-08T09:22:54.624Z

Updated: 2026-04-08T17:15:22.160Z

Reserved: 2025-02-14T23:31:53.701Z

Link: CVE-2025-1323

Vulnrichment

Updated: 2025-03-10T17:01:28.909Z

NVD

Status : Analyzed

Published: 2025-03-08T10:15:11.003

Modified: 2025-03-12T16:24:59.343

Link: CVE-2025-1323

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T02:00:05Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object