Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows SQL Injection.This issue affects Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2.
Published: 2025-12-31
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an instance of SQL Injection that arises from improper neutralization of special elements used in an SQL command. An attacker who can supply malicious input to the plugin's processing logic can cause the underlying database to execute arbitrary SQL statements. The result is the compromise of database confidentiality, integrity, and potentially availability, allowing attackers to read, modify, or delete data stored in the WordPress database.

Affected Systems

The Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) plugin developed by AA‑Team is affected when its version is 1.2 or earlier. The vulnerability applies to all releases from the plugin's inception through the 1.2 release milestone.

Risk and Exploitability

The CVSS score of 8.5 reflects a high severity attack potential. The EPSS score of less than 1% indicates a low current probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires the attacker to submit crafted input to the plugin’s interface or a shortcode that the plugin parses, which may be publicly accessible. Once the injection succeeds, the attacker can execute any SQL command supported by the database engine used by the WordPress installation.

Generated by OpenCVE AI on April 30, 2026 at 14:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Amazon Affiliates Addon to the latest version (or remove it entirely if not required).
  • Disable or remove any plugin operations that accept user‑supplied input without proper validation, especially shortcodes or form fields that are publicly accessible.
  • Restrict the database user account that WordPress uses to the minimum privileges necessary (e.g., avoid granting superuser rights and limit write access to the tables required for core operations).

Generated by OpenCVE AI on April 30, 2026 at 14:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) azon-addon-js-composer allows SQL Injection.This issue affects Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through <= 1.2. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows SQL Injection.This issue affects Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows SQL Injection.This issue affects Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) azon-addon-js-composer allows SQL Injection.This issue affects Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through <= 1.2.
References

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Aa-team
Aa-team amazon Affiliates Addon For Wpbakery Page Builder
Wordpress
Wordpress wordpress
Vendors & Products Aa-team
Aa-team amazon Affiliates Addon For Wpbakery Page Builder
Wordpress
Wordpress wordpress

Fri, 02 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 31 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows SQL Injection.This issue affects Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2.
Title WordPress Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) plugin <= 1.2 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Aa-team Amazon Affiliates Addon For Wpbakery Page Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:56.408Z

Reserved: 2025-03-24T13:00:55.839Z

Link: CVE-2025-30628

cve-icon Vulnrichment

Updated: 2026-01-02T19:20:42.897Z

cve-icon NVD

Status : Deferred

Published: 2025-12-31T20:15:42.353

Modified: 2026-04-28T19:30:21.050

Link: CVE-2025-30628

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T14:30:06Z

Weaknesses