Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ofek Nakar Virtual Bot virtual-bot allows Blind SQL Injection.This issue affects Virtual Bot: from n/a through <= 1.0.0.
Published: 2025-01-09
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unsanitized SQL injection flaw (CWE‑89) in Ofek Nakar’s Virtual Bot WordPress plugin. It allows an attacker to inject crafted SQL through the plugin’s input parameters, earning blind access to the site’s database. Such exploitation can expose, alter, or delete data stored in the database, thereby compromising the confidentiality and integrity of all content managed by the WordPress installation.

Affected Systems

WordPress sites that have installed Ofek Nakar:Virtual Bot, versions up to and including 1.0.0. All releases identified as being from the initial release through the stated maximum affected version are impacted.

Risk and Exploitability

The CVSS score of 9.3 classifies this flaw as critical. While the EPSS score of less than 1% indicates a low current likelihood of exploitation, the vulnerability is publicly documented and has no known active exploits, so the risk remains significant if the plugin is actively exposed to the internet. It is not listed in the CISA KEV catalog. The attack vector is remote, via web application input that is concatenated directly into SQL queries. An attacker with the ability to submit requests to the plugin’s endpoints can perform privileged database operations once the injection is confirmed.

Generated by OpenCVE AI on May 2, 2026 at 09:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Virtual Bot to the latest non‑vulnerable release once it becomes available.
  • If an upgrade is not possible, remove or disable the Virtual Bot plugin from the WordPress installation to eliminate the attack surface.
  • Deploy a Web Application Firewall or configure an existing WAF to block SQL injection patterns targeting the plugin’s input fields, and ensure that only trusted administrators have permission to install or edit plugins.

Generated by OpenCVE AI on May 2, 2026 at 09:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2820 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ofek Nakar Virtual Bot allows Blind SQL Injection.This issue affects Virtual Bot: from n/a through 1.0.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ofek Nakar Virtual Bot allows Blind SQL Injection.This issue affects Virtual Bot: from n/a through 1.0.0. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ofek Nakar Virtual Bot virtual-bot allows Blind SQL Injection.This issue affects Virtual Bot: from n/a through <= 1.0.0.
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Fri, 10 Jan 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Jan 2025 15:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ofek Nakar Virtual Bot allows Blind SQL Injection.This issue affects Virtual Bot: from n/a through 1.0.0.
Title WordPress Virtual Bot Plugin <= 1.0.0 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:01.199Z

Reserved: 2025-01-07T10:23:07.227Z

Link: CVE-2025-22542

cve-icon Vulnrichment

Updated: 2025-01-10T20:22:46.834Z

cve-icon NVD

Status : Deferred

Published: 2025-01-09T16:16:28.670

Modified: 2026-06-17T08:48:07.987

Link: CVE-2025-22542

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T10:00:06Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')