Description
The WordPress Report Brute Force Attacks and Login Protection ReportAttacks Plugins plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.32 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-03-13
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection enabling extraction of sensitive database information
Action: Apply Patch
AI Analysis

Impact

An authenticated attacker with administrator privileges can exploit the ReportAttacks plugin's insufficiently sanitized 'orderby' parameter, which allows SQL injection. The flaw resides in all plugin versions up to 2.32, enabling malicious SQL to be appended to legitimate queries and thereby read or manipulate sensitive database content. The vulnerability is a classic input injection problem (CWE-89) that grants an attacker unauthorized data exposure.

Affected Systems

The affected product is the WordPress Report Attacks and Login Protection plugin developed by sminozzi. Every release of the plugin through version 2.32 is vulnerable, so any WordPress site running this plugin at the affected levels is at risk. Administrators or higher-privileged users can trigger the injection via the web interface that uses the 'orderby' query string parameter.

Risk and Exploitability

The client-facing CVSS score of 4.9 indicates a medium-severity issue, while the extremely low EPSS of <1% reflects a very small likelihood of exploitation in the wild. Because the flaw requires authenticated access, attackers must first compromise an administrative account or have existing credentials. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits are documented. However, the combination of limited exploitation window and potential to extract data keeps it a significant concern for sites with the plugin installed.

Generated by OpenCVE AI on April 21, 2026 at 21:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ReportAttacks plugin to any version newer than 2.32, or uninstall the plugin entirely if no update is available.
  • Sanitize the 'orderby' request parameter so that only known column names or numeric values are accepted, and bind all variables in the SQL statement to prevent injection.
  • Deploy a Web Application Firewall rule to block suspicious SQL patterns on the ReportAttacks admin URLs until a patch is applied.

Generated by OpenCVE AI on April 21, 2026 at 21:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6425 The WordPress Report Brute Force Attacks and Login Protection ReportAttacks Plugins plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.32 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00047}

 epss

{'score': 0.00061}

Fri, 14 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 13 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Description The WordPress Report Brute Force Attacks and Login Protection ReportAttacks Plugins plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.32 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title WordPress Report Brute Force Attacks and Login Protection ReportAttacks Plugins <= 2.32 - Authenticated (Admin+) SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:31.169Z

Reserved: 2025-03-12T13:50:20.844Z

Link: CVE-2025-2250

cve-icon Vulnrichment

Updated: 2025-03-14T13:48:05.513Z

cve-icon NVD

Status : Deferred

Published: 2025-03-13T04:15:23.137

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2250

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:00:26Z

Weaknesses