Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aristo Rinjuang WP Inquiries wp-inquiries allows SQL Injection.This issue affects WP Inquiries: from n/a through <= 0.2.1.
Published: 2025-04-09
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the WP Inquiries plugin allows an attacker to inject arbitrary SQL commands, owing to a lack of proper input sanitization (CWE-89). If the injection succeeds, the attacker could read, modify, or delete any data that the plugin stores in the database, potentially exposing user information or compromising the entire WordPress site.

Affected Systems

The vulnerability exists in Aristo Rinjuang’s WP Inquiries plugin versions 0.2.1 and earlier. Any WordPress installation that has not upgraded beyond those versions is at risk. The plugin is commonly used on WordPress 5.x and later, so many sites may still be running a vulnerable copy.

Risk and Exploitability

The CVSS score of 7.6 signals high severity while the EPSS score of < 1% indicates that exploitation attempts are currently uncommon but not impossible. The vulnerability does not appear in the CISA KEV catalog, so no confirmed wild‑world exploitation is known. The likely attack vector is via the plugin’s web interface, as an attacker can craft HTTP requests to the plugin’s endpoints to inject SQL—a conclusion inferred from the plugin’s description of accepting unsanitized input. Administrators should evaluate the potential data exposure and apply mitigations promptly.

Generated by OpenCVE AI on May 1, 2026 at 10:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Inquiries to the latest version, which removes the injection flaw.
  • If the update cannot be applied immediately, delete or disable the plugin to eliminate the attack surface.
  • Configure WordPress to use a least‑privilege database user and deploy an application firewall that blocks suspicious SQL patterns.

Generated by OpenCVE AI on May 1, 2026 at 10:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10556 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aristo Rinjuang WP Inquiries allows SQL Injection. This issue affects WP Inquiries: from n/a through 0.2.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aristo Rinjuang WP Inquiries allows SQL Injection. This issue affects WP Inquiries: from n/a through 0.2.1. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aristo Rinjuang WP Inquiries wp-inquiries allows SQL Injection.This issue affects WP Inquiries: from n/a through <= 0.2.1.
Title WordPress WP Inquiries <= 0.2.1 - SQL Injection Vulnerability WordPress WP Inquiries plugin <= 0.2.1 - SQL Injection Vulnerability
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Wed, 09 Apr 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 09 Apr 2025 16:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aristo Rinjuang WP Inquiries allows SQL Injection. This issue affects WP Inquiries: from n/a through 0.2.1.
Title WordPress WP Inquiries <= 0.2.1 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:27.924Z

Reserved: 2025-04-09T11:21:24.366Z

Link: CVE-2025-32685

cve-icon Vulnrichment

Updated: 2025-04-09T17:46:54.844Z

cve-icon NVD

Status : Deferred

Published: 2025-04-09T17:15:52.817

Modified: 2026-04-23T15:29:20.903

Link: CVE-2025-32685

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T11:00:15Z

Weaknesses