Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus iFrame Images Gallery wp-iframe-images-gallery allows SQL Injection.This issue affects iFrame Images Gallery: from n/a through <= 9.0.
Published: 2025-07-04
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a classic SQL injection flaw (CWE-89) in the gopiplus iFrame Images Gallery WordPress plugin. An attacker can supply malicious input that is not properly escaped, allowing the execution of arbitrary SQL statements against the site database. Successful exploitation can lead to unauthorized read, modification, or deletion of sensitive data stored by WordPress, including user credentials, posts, and plugin settings.

Affected Systems

The defect is present in all versions of the iFrame Images Gallery plugin up to and including version 9.0. The affected vendor is gopiplus and the product is the WordPress iFrame Images Gallery plugin. No specific sub‑versions are delineated beyond the ≤ 9.0 cutoff.

Risk and Exploitability

The CVSS score of 8.5 flags this issue as high severity, while the EPSS score of < 1 % suggests a low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Likely attack vectors involve placing a crafted payload into any plugin parameter that feeds an unfiltered SQL query, such as the gallery insert or image URL fields. If the web server or database credentials have high privileges, an attacker could elevate a data breach to a full database takeover.

Generated by OpenCVE AI on April 30, 2026 at 16:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iFrame Images Gallery to a version beyond 9.0 or to the latest official release that includes the fix.
  • If an upgrade is delayed, restrict write access to the plugin’s input fields by implementing strict validation or by disabling untrusted content input.
  • After applying the patch, conduct a credential audit on the database user used by WordPress and limit its permissions to the minimum necessary for normal operation.

Generated by OpenCVE AI on April 30, 2026 at 16:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19939 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus iFrame Images Gallery allows SQL Injection. This issue affects iFrame Images Gallery: from n/a through 9.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus iFrame Images Gallery allows SQL Injection. This issue affects iFrame Images Gallery: from n/a through 9.0. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus iFrame Images Gallery wp-iframe-images-gallery allows SQL Injection.This issue affects iFrame Images Gallery: from n/a through <= 9.0.
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Tue, 08 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Jul 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus iFrame Images Gallery allows SQL Injection. This issue affects iFrame Images Gallery: from n/a through 9.0.
Title WordPress iFrame Images Gallery plugin <= 9.0 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:02.297Z

Reserved: 2025-03-26T09:22:27.937Z

Link: CVE-2025-30969

cve-icon Vulnrichment

Updated: 2025-07-08T14:05:13.323Z

cve-icon NVD

Status : Deferred

Published: 2025-07-04T09:15:34.417

Modified: 2026-04-23T15:27:25.383

Link: CVE-2025-30969

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T17:00:15Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')