Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yamna Khawaja Mailing Group Listserv wp-mailing-group allows SQL Injection.This issue affects Mailing Group Listserv: from n/a through <= 3.0.4.
Published: 2025-05-23
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This flaw is an SQL injection vulnerability in the Yamna Khawaja Mailing Group Listserv plugin for WordPress. An attacker who can inject malicious SQL into the plugin’s queries can read, modify, or delete data in the database, potentially escalating privileges or facilitating further attacks. The weakness is classified as CWE-89."

Affected Systems

The vulnerability affects the Mailing Group Listserv plugin up through version 3.0.4. Any WordPress installation that has this plugin installed and has not been updated beyond that version is susceptible.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity, while the EPSS score of less than 1% suggests that exploitation prevalence is currently low. The plugin is not listed in the CISA KEV catalog. Based on the description and typical WordPress plugin exposure, the most likely attack vector is remote via crafted HTTP requests to the plugin’s endpoints. The vulnerability allows the execution of arbitrary SQL commands, which could compromise data confidentiality, integrity, and potentially lead to remote code execution if the database interacts with other systems or if default credentials are used.

Generated by OpenCVE AI on April 30, 2026 at 19:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Mailing Group Listserv plugin to version 3.0.5 or later, which contains the fix for the SQL injection flaw.
  • If an upgrade is not immediately possible, disable the plugin or remove it from the WordPress installation to eliminate the attack surface.
  • Restrict HTTP access to the plugin’s administrative pages using role‑based access controls or a firewall rule to limit exposure to trusted users only.

Generated by OpenCVE AI on April 30, 2026 at 19:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28049 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yamna Khawaja Mailing Group Listserv allows SQL Injection. This issue affects Mailing Group Listserv: from n/a through 3.0.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yamna Khawaja Mailing Group Listserv allows SQL Injection. This issue affects Mailing Group Listserv: from n/a through 3.0.4. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yamna Khawaja Mailing Group Listserv wp-mailing-group allows SQL Injection.This issue affects Mailing Group Listserv: from n/a through <= 3.0.4.
Title WordPress Mailing Group Listserv <= 3.0.4 - SQL Injection Vulnerability WordPress Mailing Group Listserv plugin <= 3.0.4 - SQL Injection Vulnerability
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Fri, 23 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yamna Khawaja Mailing Group Listserv allows SQL Injection. This issue affects Mailing Group Listserv: from n/a through 3.0.4.
Title WordPress Mailing Group Listserv <= 3.0.4 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:37.969Z

Reserved: 2025-04-24T14:22:30.738Z

Link: CVE-2025-46463

cve-icon Vulnrichment

Updated: 2025-05-23T14:49:55.454Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:35.380

Modified: 2026-04-23T15:30:02.470

Link: CVE-2025-46463

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:15:16Z

Weaknesses