Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kiotviet KiotViet Sync allows SQL Injection. This issue affects KiotViet Sync: from n/a through 1.8.3.
Published: 2025-04-17
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Kiotviet Sync plugin for WordPress contains an unrecommended neutralization of special characters in SQL commands, known as a SQL injection flaw. An attacker who can influence the plugin’s input fields can inject arbitrary SQL statements that may read or modify sensitive database content, potentially exposing customer data or altering store information. The weakness is classified as CWE-89 and can have cascading effects if the SQL injection is exploited to compromise the server’s database.

Affected Systems

WordPress sites using the Kiotviet Sync plugin older than version 1.8.4 (the vulnerability affects all releases up to 1.8.3). Any installation that still includes these versions is at risk.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity vulnerability, but the EPSS score of less than 1% suggests that active exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog, so known public exploits are not currently documented. Likely attack vectors involve interacting with the plugin’s public endpoints or administrative interfaces. If an attacker successfully injects SQL, they could read, update, or delete database records, leading to data loss or privilege escalation within the WordPress environment.

Generated by OpenCVE AI on April 30, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kiotviet Sync to version 1.8.4 or later, which contains the patch for the SQL injection flaw.
  • If an update cannot be performed immediately, disable or remove the Kiotviet Sync plugin until a fixed version is available.
  • As a temporary defense, limit the database user's privileges to the minimum required for the plugin, such as granting only SELECT rights, to reduce the impact of a potential injection.

Generated by OpenCVE AI on April 30, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11688 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kiotviet KiotViet Sync allows SQL Injection. This issue affects KiotViet Sync: from n/a through 1.8.3.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kiotviet KiotViet Sync kiotvietsync allows SQL Injection.This issue affects KiotViet Sync: from n/a through <= 1.8.4. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kiotviet KiotViet Sync allows SQL Injection. This issue affects KiotViet Sync: from n/a through 1.8.3.
Title WordPress KiotViet Sync Plugin <= 1.8.4 - SQL Injection vulnerability WordPress KiotViet Sync Plugin <= 1.8.3 - SQL Injection vulnerability
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kiotviet KiotViet Sync allows SQL Injection. This issue affects KiotViet Sync: from n/a through 1.8.3. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kiotviet KiotViet Sync kiotvietsync allows SQL Injection.This issue affects KiotViet Sync: from n/a through <= 1.8.4.
Title WordPress KiotViet Sync Plugin <= 1.8.3 - SQL Injection vulnerability WordPress KiotViet Sync Plugin <= 1.8.4 - SQL Injection vulnerability
References

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kiotviet KiotViet Sync allows SQL Injection. This issue affects KiotViet Sync: from n/a through 1.8.3.
Title WordPress KiotViet Sync Plugin <= 1.8.3 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:24.423Z

Reserved: 2025-04-09T11:20:09.347Z

Link: CVE-2025-32573

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:44.577

Modified: 2026-04-28T19:31:43.680

Link: CVE-2025-32573

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T22:00:08Z

Weaknesses