Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in hiren.sabd WP Music Player wp-music-player allows SQL Injection.This issue affects WP Music Player: from n/a through <= 1.3.
Published: 2025-01-07
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw permits an attacker to inject statements that are incorporated into an SQL command, as the plugin does not neutralize special characters. Based on the description, this could allow an attacker to read, modify, or delete database contents, compromising confidentiality, integrity, and availability of site data. The issue is classified as CWE‑89.

Affected Systems

The WP Music Player plugin developed by hiren.sabd is affected. All releases from the earliest version through 1.3 are vulnerable; no later versions have been identified as safe.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity, yet the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalogue. Likely it's exploited via the web interface that accepts user input, allowing remote attackers to send crafted HTTP requests that trigger the unsanitized SQL statements. A successful exploit could lead to full compromise of site data.

Generated by OpenCVE AI on May 1, 2026 at 22:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Music Player to version 1.4 or later; the latest release includes a fix for the SQL injection flaw.
  • If an immediate upgrade is not possible, disable the plugin or restrict access to its administrative pages to trusted users only.
  • Implement proper parameterized queries or input sanitization in any custom code that interacts with the plugin’s database functionality, ensuring that user-supplied data cannot be injected into SQL commands.

Generated by OpenCVE AI on May 1, 2026 at 22:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2814 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Hiren Patel WP Music Player allows SQL Injection.This issue affects WP Music Player: from n/a through 1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Hiren Patel WP Music Player allows SQL Injection.This issue affects WP Music Player: from n/a through 1.3. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in hiren.sabd WP Music Player wp-music-player allows SQL Injection.This issue affects WP Music Player: from n/a through <= 1.3.
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Tue, 07 Jan 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Hiren Patel WP Music Player allows SQL Injection.This issue affects WP Music Player: from n/a through 1.3.
Title WordPress WP Music Player Plugin <= 1.3 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:01.056Z

Reserved: 2025-01-07T10:23:07.226Z

Link: CVE-2025-22536

cve-icon Vulnrichment

Updated: 2025-01-07T17:15:52.664Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T16:15:49.293

Modified: 2026-04-23T15:23:10.517

Link: CVE-2025-22536

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:30:16Z

Weaknesses