Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in iDo8p WPMU Prefill Post wpmu-prefill-post allows SQL Injection.This issue affects WPMU Prefill Post: from n/a through <= 1.02.
Published: 2025-01-07
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an SQL injection flaw in the iDo8p WPMU Prefill Post plugin for WordPress. Because the plugin improperly sanitizes user input before including it in an SQL statement, an attacker can inject arbitrary SQL code. An adversary could read, modify, or delete data in the database, potentially escalating to full site compromise if privileged users can craft the request.

Affected Systems

WordPress sites utilizing the WPMU Prefill Post plugin up through version 1.02 are impacted. This includes all installations that have not upgraded beyond the stated maximum. The plugin is distributed by iDo8p. No specific operating system or WordPress core version limitations are noted.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity. The EPSS score of less than 1% suggests low observed exploitation likelihood. Because the vulnerability is not listed in the KEV catalog, no active exploits are known. The likely attack path involves interacting with a vulnerable instance of the plugin through its publicly accessible interface, potentially requiring attacker-controlled parameters. Without further evidence, it is best to treat it as a serious but low‑probability risk.

Generated by OpenCVE AI on May 1, 2026 at 22:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPMU Prefill Post plugin to a version that contains the SQL injection fix, such as 1.03 or later.
  • If an update is not immediately available, disable the plugin until a patch is released to eliminate the attack surface.
  • Limit database user privileges to the minimum necessary for WordPress operation, ensuring that even if an injection occurs, the damage potential is reduced.

Generated by OpenCVE AI on May 1, 2026 at 22:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2788 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Benjamin Santalucia (ben@woow-fr.com) WPMU Prefill Post allows SQL Injection.This issue affects WPMU Prefill Post: from n/a through 1.02.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Benjamin Santalucia (ben@woow-fr.com) WPMU Prefill Post allows SQL Injection.This issue affects WPMU Prefill Post: from n/a through 1.02. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in iDo8p WPMU Prefill Post wpmu-prefill-post allows SQL Injection.This issue affects WPMU Prefill Post: from n/a through <= 1.02.
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Tue, 07 Jan 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Benjamin Santalucia (ben@woow-fr.com) WPMU Prefill Post allows SQL Injection.This issue affects WPMU Prefill Post: from n/a through 1.02.
Title WordPress WPMU Prefill Post Plugin <= 1.02 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:00.399Z

Reserved: 2025-01-07T10:22:41.465Z

Link: CVE-2025-22507

cve-icon Vulnrichment

Updated: 2025-01-07T16:21:09.328Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T16:15:46.040

Modified: 2026-06-17T08:47:51.267

Link: CVE-2025-22507

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:15:27Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')