Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in jgwhite33 WP Yelp Review Slider wp-yelp-review-slider allows Blind SQL Injection.This issue affects WP Yelp Review Slider: from n/a through <= 8.1.
Published: 2025-02-25
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from improper neutralization of special elements within SQL commands, enabling blind SQL injection through the WP Yelp Review Slider plugin. An attacker can craft malicious input that is executed by the database, potentially exposing, modifying, or deleting sensitive data. This breach compromises both confidentiality and integrity of the site's data and may serve as a foothold for further exploitation.

Affected Systems

The WP Yelp Review Slider plugin developed by jgwhite33 for WordPress is affected. Versions from the initial release up to and including 8.1 contain the flaw.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity, while the EPSS score of less than 1% suggests a low probability of active exploitation at present. The vulnerability is not listed in CISA's KEV catalog. Based on the description, it is inferred that a blind SQL injection would most likely be carried out via the web interface, sending crafted input to the plugin’s endpoints. The blind nature of the injection means that exploitation relies on timing or inference techniques rather than immediate error messages.

Generated by OpenCVE AI on May 2, 2026 at 09:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Yelp Review Slider plugin to the latest available patch.
  • If an upgrade is not immediately possible, disable the plugin or restrict its use to trusted administrative accounts only.
  • Deploy a Web Application Firewall rule that blocks suspicious SQL injection patterns targeting the plugin’s input fields.
  • Review and restrict the database user privileges associated with WordPress to the minimum required for normal operation.

Generated by OpenCVE AI on May 2, 2026 at 09:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5404 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in jgwhite33 WP Yelp Review Slider allows Blind SQL Injection. This issue affects WP Yelp Review Slider: from n/a through 8.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in jgwhite33 WP Yelp Review Slider allows Blind SQL Injection. This issue affects WP Yelp Review Slider: from n/a through 8.1. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in jgwhite33 WP Yelp Review Slider wp-yelp-review-slider allows Blind SQL Injection.This issue affects WP Yelp Review Slider: from n/a through <= 8.1.
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Tue, 25 Feb 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 25 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in jgwhite33 WP Yelp Review Slider allows Blind SQL Injection. This issue affects WP Yelp Review Slider: from n/a through 8.1.
Title WordPress WP Yelp Review Slider Plugin <= 8.1 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:44.628Z

Reserved: 2025-02-17T11:51:18.743Z

Link: CVE-2025-26946

cve-icon Vulnrichment

Updated: 2025-02-25T17:20:28.091Z

cve-icon NVD

Status : Deferred

Published: 2025-02-25T15:15:28.320

Modified: 2026-06-17T09:02:38.910

Link: CVE-2025-26946

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T09:15:26Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')