CVE-2025-1648 - Vulnerability Details

- Yawave <= 2.9.1 - Unauthenticated SQL Injection

Description

The Yawave plugin for WordPress is vulnerable to SQL Injection via the 'lbid' parameter in all versions up to, and including, 2.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Published: 2025-02-25

Score: 7.5 High

EPSS: 1.0% Low

KEV: No

Impact:

Action:

Analysis

Impact

The Yawave WordPress plugin is vulnerable to an unauthenticated SQL injection via the 'lbid' parameter in all versions up to 2.9.1, due to unsanitised input and lack of query preparation. Attackers can append arbitrary SQL statements to the existing query, allowing extraction of sensitive database contents. This flaw is a classic input validation weakness identified as CWE‑89, and it can compromise the confidentiality and integrity of site data.

Affected Systems

Affected systems include any WordPress site running the Yawave plugin, specifically versions 2.9.1 or older. The plugin is distributed under the product identifier yawave. Users who have installed these versions are at risk until they upgrade or remove the plugin.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, indicating a high severity, and an EPSS score of 1 %, meaning that exploitation likelihood is currently low but not negligible. It is not listed in the CISA KEV catalog. The problem can be exploited by any unauthenticated user via a crafted HTTP request targeting the shortcode.liveblog.php endpoint, showing that the attack vector is network accessible and does not require administrative access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

yawaveadmin

Yawave

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.9.1

Configuration 1 [-]

cpe:2.3:a:yawave:yawave:*:*:*:*:*:wordpress:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Yawave plugin to a version newer than 2.9.1
If an upgrade is not immediately possible, uninstall or disable the Yawave plugin from the WordPress installation
Deploy a Web Application Firewall rule to detect and block suspicious SQL injection attempts against the 'lbid' parameter

Generated by OpenCVE AI on April 21, 2026 at 22:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-5072	The Yawave plugin for WordPress is vulnerable to SQL Injection via the 'lbid' parameter in all versions up to, and including, 2.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01009.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://atviksecurity.com/yawave-wordpress-plugin-unauthenticated-sql-injection/
https://plugins.trac.wordpress.org/browser/yawave/trunk/includes/shortcode.liveblog.php#L69
https://www.wordfence.com/threat-intel/vulnerabilities/id/6a5cc21a-eb3a-429a-a0f9-0181d95a9eeb?source=cve

History

Fri, 28 Feb 2025 02:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Yawave Yawave yawave
CPEs		cpe:2.3:a:yawave:yawave::::::wordpress::*
Vendors & Products		Yawave Yawave yawave

Tue, 25 Feb 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 25 Feb 2025 07:15:00 +0000

Type	Values Removed	Values Added
Description		The Yawave plugin for WordPress is vulnerable to SQL Injection via the 'lbid' parameter in all versions up to, and including, 2.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title		Yawave <= 2.9.1 - Unauthenticated SQL Injection
Weaknesses		CWE-89
References		https://atviksecurity.com/yawave-wordpress-plugin-unauthenticated-sql-injection/ https://plugins.trac.wordpress.org/browser/yawave/trunk/includes/shortcode.liveblog.php#L69 https://www.wordfence.com/threat-intel/vulnerabilities/id/6a5cc21a-eb3a-429a-a0f9-0181d95a9eeb?source=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Yawave Yawave

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-02-25T06:58:30.828Z

Updated: 2026-04-08T16:58:49.208Z

Reserved: 2025-02-24T18:48:05.918Z

Link: CVE-2025-1648

Vulnrichment

Updated: 2025-02-25T14:14:33.993Z

NVD

Status : Analyzed

Published: 2025-02-25T07:15:18.670

Modified: 2025-02-28T01:30:32.830

Link: CVE-2025-1648

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T22:30:06Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object