Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Torod Company for Information Technology Torod torod allows SQL Injection.This issue affects Torod: from n/a through <= 2.1.
Published: 2025-07-16
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Torod plugin for WordPress contains an SQL injection flaw caused by insufficient neutralization of special characters in SQL commands. This weakness (CWE-89) permits an attacker to inject arbitrary SQL statements, potentially enabling the attacker to read, modify, or delete data stored in the site database. The CVE description does not reference code execution or privilege escalation beyond database manipulation.

Affected Systems

Affected versions are all releases of the Torod plugin from Torod Company for Information Technology from the initial launch through version 2.1. No later releases are listed as fixed.

Risk and Exploitability

With a CVSS score of 9.3 the vulnerability is classified as critical, but the EPSS score of less than 1% indicates a very low probability of exploitation at present, and the flaw is not included in CISA’s KEV catalog. The likely attack vector is remote via web input fields processed by the plugin; this inference is drawn from the fact that the injection occurs through user‑supplied data that reaches an SQL statement. Exploitation would require the ability to submit data to the plugin, making the flaw widely reachable if no other controls are in place.

Generated by OpenCVE AI on May 1, 2026 at 06:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of the Torod plugin higher than 2.1 or remove the plugin if no newer release is available
  • Configure the WordPress database user to have the least privileges necessary for normal operation
  • Deploy a web application firewall with rules to detect and block SQL injection patterns targeting the Torod plugin
  • Monitor database logs for unusual queries or changes that may indicate exploitation

Generated by OpenCVE AI on May 1, 2026 at 06:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21607 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Torod Company for Information Technology Torod allows SQL Injection. This issue affects Torod: from n/a through 1.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Torod Company for Information Technology Torod allows SQL Injection. This issue affects Torod: from n/a through 1.9. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Torod Company for Information Technology Torod torod allows SQL Injection.This issue affects Torod: from n/a through <= 2.1.
Title WordPress Torod plugin <= 1.9 - SQL Injection Vulnerability WordPress Torod plugin <= 2.1 - SQL Injection vulnerability
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 16 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00028}

Wed, 16 Jul 2025 11:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Torod Company for Information Technology Torod allows SQL Injection. This issue affects Torod: from n/a through 1.9.
Title WordPress Torod plugin <= 1.9 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:01.248Z

Reserved: 2025-03-26T09:22:01.080Z

Link: CVE-2025-30936

cve-icon Vulnrichment

Updated: 2025-07-16T13:45:46.588Z

cve-icon NVD

Status : Deferred

Published: 2025-07-16T12:15:24.833

Modified: 2026-04-23T15:27:21.593

Link: CVE-2025-30936

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:00:06Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')