Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Pinterest Automatic Pin wp-pinterest-automatic allows SQL Injection.This issue affects Pinterest Automatic Pin: from n/a through < 4.19.0.
Published: 2025-08-14
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of special elements used within an SQL command in the Pinterest Automatic Pin plugin. Attackers can inject arbitrary SQL statements that may read, modify, or delete data in the WordPress database, potentially exposing sensitive information or altering site content. The weakness corresponds to CWE‑89.

Affected Systems

This issue affects WordPress installations running the Pinterest Automatic Pin plugin from any released version up to, but not including, 4.19.0. The plugin is distributed by ValvePress and commonly used to auto‑save Pinterest images to sites.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity rating, meaning that if exploited the impact can be significant. The EPSS score is listed as less than 1%, suggesting that active exploitation is currently unlikely, and the vulnerability is not yet catalogued in CISA’s KEV list, which increases confidence that it has not been widely exploited in the wild. The likely attack vector is through standard HTTP requests to the plugin’s exposed endpoints, so anyone with network access to the site may attempt junk input that can be processed without adequate sanitization.

Generated by OpenCVE AI on May 2, 2026 at 01:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Pinterest Automatic Pin plugin to version 4.19.0 or later, as that version includes the SQL injection fix.
  • If the plugin cannot be upgraded immediately, disable or uninstall the Pinterest Automatic Pin plugin to eliminate the vulnerable code path until a patch is available.
  • Reconfigure the WordPress database user with least privilege: remove unnecessary SELECT, INSERT, UPDATE rights and enforce only the permissions required by the application to limit damage if an injection occurs.

Generated by OpenCVE AI on May 2, 2026 at 01:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24746 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Pinterest Automatic Pin allows SQL Injection. This issue affects Pinterest Automatic Pin: from n/a through n/a.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Pinterest Automatic Pin allows SQL Injection. This issue affects Pinterest Automatic Pin: from n/a through n/a. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Pinterest Automatic Pin wp-pinterest-automatic allows SQL Injection.This issue affects Pinterest Automatic Pin: from n/a through < 4.19.0.
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Thu, 14 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Valvepress
Valvepress pinterest Automatic Pin
Wordpress
Wordpress wordpress
Vendors & Products Valvepress
Valvepress pinterest Automatic Pin
Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Pinterest Automatic Pin allows SQL Injection. This issue affects Pinterest Automatic Pin: from n/a through n/a.
Title WordPress Pinterest Automatic Pin plugin < 4.19.0 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Valvepress Pinterest Automatic Pin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:33.892Z

Reserved: 2025-04-16T06:24:25.376Z

Link: CVE-2025-39510

cve-icon Vulnrichment

Updated: 2025-08-14T19:36:40.712Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:34.117

Modified: 2026-04-23T15:29:41.987

Link: CVE-2025-39510

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:15:06Z

Weaknesses