Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Philipp Speck WordPress Custom Sidebar wordpress-custom-sidebar allows Blind SQL Injection.This issue affects WordPress Custom Sidebar: from n/a through <= 2.3.
Published: 2025-01-16
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WordPress Custom Sidebar plugin contains an SQL injection flaw due to improper neutralization of special elements in an SQL command. A remote attacker can exploit this blind injection to read or modify the site's database, potentially exposing sensitive content or altering site configuration. The weakness is classified as CWE‑89 and can lead to data disclosure, tampering, and, if privilege escalation is possible, further compromise of the host.

Affected Systems

Affected products are WordPress installations that employ the WordPress Custom Sidebar plugin developed by Philipp Speck, versions from the initial release through 2.3. Users running any earlier release that has not been patched to a newer version remain vulnerable.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity, while the EPSS of < 1% suggests a low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Attackers can likely trigger the issue via the plugin’s exposed web interface or publicly accessible sidebar widgets, without needing authentication, and the injection is blind, relying on timing or error behavior.

Generated by OpenCVE AI on May 1, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress Custom Sidebar plugin to the latest version (2.4 or later) to eliminate the injection vector.
  • If an update is not available or the plugin is no longer required, uninstall the WordPress Custom Sidebar plugin to remove the source of the vulnerability.
  • Apply general web application hardening such as restricting database user privileges and validating or sanitizing user input in sidebar content submissions to reduce the impact of any future injection flaws.

Generated by OpenCVE AI on May 1, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3527 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Typomedia Foundation WordPress Custom Sidebar allows Blind SQL Injection.This issue affects WordPress Custom Sidebar: from n/a through 2.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Typomedia Foundation WordPress Custom Sidebar allows Blind SQL Injection.This issue affects WordPress Custom Sidebar: from n/a through 2.3. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Philipp Speck WordPress Custom Sidebar wordpress-custom-sidebar allows Blind SQL Injection.This issue affects WordPress Custom Sidebar: from n/a through <= 2.3.
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Sat, 18 Jan 2025 08:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Typomedia Foundation WordPress Custom Sidebar allows Blind SQL Injection.This issue affects WordPress Custom Sidebar: from n/a through 2.3.
Title WordPress WordPress Custom Sidebar Plugin <= 2.3 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T22:44:49.715Z

Reserved: 2025-01-16T11:32:12.975Z

Link: CVE-2025-23912

cve-icon Vulnrichment

Updated: 2025-01-17T17:16:02.709Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T21:15:32.930

Modified: 2026-06-17T08:57:43.140

Link: CVE-2025-23912

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T20:30:05Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')