Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages leadcapture allows Blind SQL Injection.This issue affects WP Lead Capturing Pages: from n/a through < 2.6.
Published: 2025-06-09
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Lead Capturing Pages plugin contains an improper neutralization of special elements used in an SQL command that allows a blind SQL injection attack. An attacker could craft input that is executed against the MySQL database, potentially reading, modifying, or deleting data and thereby compromising confidentiality and integrity of stored lead information.

Affected Systems

The vulnerability affects the kamleshyadav WP Lead Capturing Pages plugin for WordPress, in all versions prior to 2.6. Users running any of these versions are directly impacted.

Risk and Exploitability

With a CVSS score of 9.3 and an EPSS score of less than 1%, the flaw is considered high‑severity but currently has a very low predicted exploitation probability. The attack vector is inferred to be a web‑based input, such as a form field in the lead capture page, which an attacker can exploit without authentication. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 30, 2026 at 17:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Lead Capturing Pages plugin to version 2.6 or later to apply the vendor‑supplied fix.
  • If an update cannot be applied immediately, disable or remove the plugin to eliminate the vulnerable functionality.
  • Configure the WordPress database user with the minimum privileges required for normal operation, limiting the risk if an injection succeeds.
  • Enable application logging and monitor for anomalous database queries or repeated failed login attempts that may indicate SQL injection attempts.

Generated by OpenCVE AI on April 30, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17500 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages allows Blind SQL Injection. This issue affects WP Lead Capturing Pages: from n/a through 2.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages allows Blind SQL Injection. This issue affects WP Lead Capturing Pages: from n/a through 2.3. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages leadcapture allows Blind SQL Injection.This issue affects WP Lead Capturing Pages: from n/a through < 2.6.
Title WordPress WP Lead Capturing Pages plugin <= 2.3 - SQL Injection vulnerability WordPress WP Lead Capturing Pages plugin < 2.6 - SQL Injection vulnerability
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00039}

 epss

{'score': 0.00043}

Mon, 09 Jun 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages allows Blind SQL Injection. This issue affects WP Lead Capturing Pages: from n/a through 2.3.
Title WordPress WP Lead Capturing Pages plugin <= 2.3 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:23:11.081Z

Reserved: 2025-03-28T11:00:03.510Z

Link: CVE-2025-31424

cve-icon Vulnrichment

Updated: 2025-06-09T17:18:54.619Z

cve-icon NVD

Status : Deferred

Published: 2025-06-09T16:15:38.260

Modified: 2026-04-23T15:27:48.057

Link: CVE-2025-31424

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T18:00:14Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')