Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge WordPress-WPJobBoard click-pledge-wpjobboard allows Blind SQL Injection.This issue affects WordPress-WPJobBoard: from n/a through <= 25.07010000-WP6.8.1-JB5.11.5.
Published: 2025-06-10
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is caused by improper neutralization of special characters that are subsequently incorporated into SQL commands in the ClickandPledge WordPress‑WPJobBoard plugin. The flaw allows an attacker to inject arbitrary SQL statements into a query, resulting in blind SQL injection. Consequently, an attacker could retrieve sensitive data from the database or modify existing records, thereby compromising the confidentiality and integrity of stored information. The weakness corresponds to CWE‑89 and the CVE data indicates it is a blind injection scenario.

Affected Systems

The affected component is the WordPress‑WPJobBoard plugin for WordPress, produced by ClickandPledge. All plugin releases up to and including version 25.07010000‑WP6.8.1‑JB5.11.5 are vulnerable; earlier releases are also likely affected because the issue is listed as "from n/a through <=". No newer releases have been specified as patched in the current data.

Risk and Exploitability

The CVSS base score of 9.3 rates the issue as critical. The EPSS score of less than 1% indicates a very low probability of observed exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be web‑based, where a crafted HTTP request to the plugin’s parameter‑handling endpoint can trigger the injection. No elevated privileges or additional prerequisites are mentioned, implying that any standard visitor or user with permission to submit data could potentially exploit the flaw. The exploitation results in database read or write operations; no evidence of privilege escalation or remote code execution is provided in the description.

Generated by OpenCVE AI on May 1, 2026 at 07:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress‑WPJobBoard plugin to a version newer than 25.07010000‑WP6.8.1‑JB5.11.5.
  • If the plugin is no longer required, uninstall or deactivate it to remove the vulnerable code path.
  • Configure a web application firewall or implement input filtering to reject or escape SQL‑related characters in user‑supplied data, mitigating blind injection attempts.

Generated by OpenCVE AI on May 1, 2026 at 07:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17673 Deserialization of Untrusted Data vulnerability in LoftOcean TinySalt allows Object Injection.This issue affects TinySalt: from n/a before 3.10.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in LoftOcean TinySalt allows Object Injection.This issue affects TinySalt: from n/a before 3.10.0. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge WordPress-WPJobBoard click-pledge-wpjobboard allows Blind SQL Injection.This issue affects WordPress-WPJobBoard: from n/a through <= 25.07010000-WP6.8.1-JB5.11.5.
Title WordPress TinySalt < 3.10.0 - PHP Object Injection Vulnerability WordPress WordPress-WPJobBoard <= 25.07010000-WP6.8.1-JB5.11.5 - SQL Injection Vulnerability
Weaknesses CWE-502 CWE-89
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00054}

 epss

{'score': 0.00058}

Wed, 11 Jun 2025 08:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Jun 2025 13:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in LoftOcean TinySalt allows Object Injection.This issue affects TinySalt: from n/a before 3.10.0.
Title WordPress TinySalt < 3.10.0 - PHP Object Injection Vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:05.741Z

Reserved: 2025-06-04T15:44:57.577Z

Link: CVE-2025-49455

cve-icon Vulnrichment

Updated: 2025-06-10T13:36:19.319Z

cve-icon NVD

Status : Deferred

Published: 2025-06-10T13:15:23.107

Modified: 2026-04-23T15:31:42.853

Link: CVE-2025-49455

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:45:06Z

Weaknesses