Description
The ArielBrailovsky-ViralAd plugin for WordPress is vulnerable to SQL Injection via the 'text' and 'id' parameters of the limpia() function in all versions up to, and including, 1.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This only appears to be exploitable on very old versions of WordPress.
Published: 2025-03-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data extraction via SQL injection
Action: Immediate Patch
AI Analysis

Impact

The ArielBrailovsky‑ViralAd plugin contains an SQL injection flaw (CWE‑89) in the limpia() function. Unsanitized 'text' and 'id' parameters allow attackers to inject arbitrary SQL statements, enabling arbitrary query execution. Because the injection is unauthenticated, any visitor can trigger it, potentially extracting sensitive data such as user credentials, content, or site configuration from the WordPress database.

Affected Systems

All releases of the ArielBrailovsky‑ViralAd WordPress plugin up to version 1.0.8 are affected. The vulnerability is only exploitable on very old WordPress installations that still use legacy database schemas or older PHP versions. Newer WordPress cores and the plugin’s later releases eliminate the issue by using proper query preparation.

Risk and Exploitability

The CVSS score of 7.5 categorizes this flaw as high, yet the EPSS score of <1% indicates a low overall exploitation probability. The flaw is not listed in CISA’s KEV catalogue. Attackers need only a simple web request to the plugin’s endpoint; because authentication is not required, exploitation is straightforward, but the primary impact is data leakage rather than direct remote code execution, unless coupled with additional vulnerabilities.

Generated by OpenCVE AI on April 21, 2026 at 21:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ArielBrailovsky‑ViralAd plugin to the latest release or uninstall it if it is no longer maintained.
  • If a patch is unavailable, modify the plugin’s code to use parameterized queries (e.g., $wpdb->prepare) for the 'text' and 'id' parameters, ensuring all user input is properly escaped.
  • Disable unauthenticated access to the plugin’s front‑end scripts or remove the vulnerable functionality entirely, for example by restricting the endpoint to authenticated administrators or by deleting the plugin if it is not needed.
  • Harden the WordPress installation by restricting database user privileges to the minimal necessary permissions and by ensuring that only administrators can reach plugin admin pages.

Generated by OpenCVE AI on April 21, 2026 at 21:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6422 The ArielBrailovsky-ViralAd plugin for WordPress is vulnerable to SQL Injection via the 'text' and 'id' parameters of the limpia() function in all versions up to, and including, 1.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This only appears to be exploitable on very old versions of WordPress.
History

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00111}

 epss

{'score': 0.00155}

Fri, 14 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 13 Mar 2025 02:15:00 +0000

Type Values Removed Values Added
Description The ArielBrailovsky-ViralAd plugin for WordPress is vulnerable to SQL Injection via the 'text' and 'id' parameters of the limpia() function in all versions up to, and including, 1.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This only appears to be exploitable on very old versions of WordPress.
Title Arielbrailovsky-Viralad <= 1.0.8 - Unauthenticated SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:40.054Z

Reserved: 2025-03-07T19:59:41.196Z

Link: CVE-2025-2106

cve-icon Vulnrichment

Updated: 2025-03-14T13:55:47.471Z

cve-icon NVD

Status : Deferred

Published: 2025-03-13T02:15:13.097

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2106

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:00:26Z

Weaknesses