Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in guelben Bravo Search & Replace bravo-search-and-replace allows Blind SQL Injection.This issue affects Bravo Search & Replace: from n/a through <= 1.0.
Published: 2025-02-24
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Bravo Search & Replace plugin contains a SQL injection vulnerability (CWE‑89) that occurs due to inadequate neutralization of special characters. The flaw enables attackers to embed crafted input into database queries, allowing blind SQL injection that can read, modify, or delete data in the WordPress database. This could lead to confidential information leakage, data corruption, or full database compromise, affecting confidentiality and data integrity.

Affected Systems

The issue affects the guelben Bravo Search & Replace plugin in versions up to and including 1.0. Any WordPress site that has installed this plugin is potentially vulnerable. All releases from the earliest available version through 1.0 are impacted.

Risk and Exploitability

The CVSS score of 7.6 signals high severity. Although the current EPSS score is below 1%, indicating low current exploitation probability, the vulnerability is not listed in CISA KEV. The attack vector likely involves submitting specially crafted input through the plugin’s interface, either from a site‑visible form or via an authenticated session. Due to the blind nature of the injection, successful exploitation would require an attacker to send multiple requests to infer database contents. Nevertheless, the potential for unauthorized data access and database compromise keeps the risk high.

Generated by OpenCVE AI on May 2, 2026 at 11:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or delete the Bravo Search & Replace plugin to remove the vulnerable code.
  • Check the plugin developer’s website or repository for an updated version or patch; deploy it immediately when available.
  • Apply proper input validation and parameterized queries in the plugin code, or deploy a web application firewall to block malicious SQL patterns.

Generated by OpenCVE AI on May 2, 2026 at 11:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4348 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in guelben Bravo Search & Replace allows Blind SQL Injection. This issue affects Bravo Search & Replace: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in guelben Bravo Search & Replace allows Blind SQL Injection. This issue affects Bravo Search & Replace: from n/a through 1.0. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in guelben Bravo Search & Replace bravo-search-and-replace allows Blind SQL Injection.This issue affects Bravo Search & Replace: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Mon, 24 Feb 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 24 Feb 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in guelben Bravo Search & Replace allows Blind SQL Injection. This issue affects Bravo Search & Replace: from n/a through 1.0.
Title WordPress Bravo Search & Replace Plugin <= 1.0 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:47.456Z

Reserved: 2025-02-21T16:45:27.525Z

Link: CVE-2025-27297

cve-icon Vulnrichment

Updated: 2025-02-24T16:14:04.052Z

cve-icon NVD

Status : Deferred

Published: 2025-02-24T15:15:15.567

Modified: 2026-06-17T09:03:21.420

Link: CVE-2025-27297

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T12:00:14Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')