CVE-2025-39370 - Vulnerability Details

- WordPress iCafe Library plugin <= 1.8.3 - SQL Injection vulnerability

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in cnilsson iCafe Library icafe-library allows SQL Injection.This issue affects iCafe Library: from n/a through <= 1.8.3.

Published: 2025-05-19

Score: 7.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Improper neutralization of special elements in SQL commands in the iCafe Library plugin allows attackers to inject arbitrary SQL statements, potentially enabling the read, modification, or deletion of database content and exposing sensitive information or altering site data.

Affected Systems

The flaw affects the WordPress iCafe Library plugin contained in releases from its earliest versions through 1.8.3. WordPress sites deploying this plugin within that range are vulnerable; the vendor identified as cnilsson iCafe Library is the affected product.

Risk and Exploitability

With a CVSS score of 7.6 the vulnerability is high severity, yet the EPSS score of less than 1 % indicates a low probability of exploitation in the wild, and it is not listed in CISA’s KEV catalog. Nonetheless, the plugin accepts user‑supplied input at a public endpoint, meaning that an attacker can launch the injection from a remotely reachable location, exposing the site to data compromise unless mitigated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

cnilsson

iCafe Library

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.8.3

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the iCafe Library plugin to a version newer than 1.8.3, which contains the SQL injection fix.
If an upgrade cannot be performed immediately, disable the plugin to eliminate the vulnerable code path.
Apply web‑application‑firewall rules that block known SQL injection patterns against the plugin’s request parameters as an additional safeguard.

Generated by OpenCVE AI on April 30, 2026 at 19:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-27947	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cnilsson iCafe Library allows SQL Injection.This issue affects iCafe Library: from n/a through 1.8.3.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00262.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/icafe-library/vulnerability/wordpress-icafe-library-plugin-1-8-3-sql-injection-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cnilsson iCafe Library allows SQL Injection.This issue affects iCafe Library: from n/a through 1.8.3.	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in cnilsson iCafe Library icafe-library allows SQL Injection.This issue affects iCafe Library: from n/a through <= 1.8.3.
References	https://patchstack.com/database/wordpress/plugin/icafe-library/vulnerability/wordpress-icafe-library-plugin-1-8-3-sql-injection-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/icafe-library/vulnerability/wordpress-icafe-library-plugin-1-8-3-sql-injection-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}`

Mon, 19 May 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 19 May 2025 16:45:00 +0000

Type	Values Removed	Values Added
Description		Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cnilsson iCafe Library allows SQL Injection.This issue affects iCafe Library: from n/a through 1.8.3.
Title		WordPress iCafe Library plugin <= 1.8.3 - SQL Injection vulnerability
Weaknesses		CWE-89
References		https://patchstack.com/database/wordpress/plugin/icafe-library/vulnerability/wordpress-icafe-library-plugin-1-8-3-sql-injection-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-05-19T16:40:06.236Z

Updated: 2026-04-28T16:12:29.714Z

Reserved: 2025-04-16T06:22:29.272Z

Link: CVE-2025-39370

Vulnrichment

Updated: 2025-05-19T16:56:33.868Z

NVD

Status : Deferred

Published: 2025-05-19T17:15:25.793

Modified: 2026-04-23T15:29:25.637

Link: CVE-2025-39370

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-30T20:00:14Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object