Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ovatheme Cube Portfolio cubeportfolio allows SQL Injection.This issue affects Cube Portfolio: from n/a through <= 1.16.8.
Published: 2025-08-14
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Cube Portfolio WordPress plugin allows attackers to inject arbitrary SQL statements because it fails to neutralize special characters before using them in a database query. This flaw can enable attackers to read, alter, or delete data stored by the website, potentially exposing sensitive information or compromising the site's integrity. The underlying weakness maps to CWE-89, indicating improper input validation of SQL command elements.

Affected Systems

The vulnerability affects the ovatheme Cube Portfolio plugin for all versions n/a through 1.16.8.

Risk and Exploitability

The CVSS base score of 8.5 classifies the flaw as high severity, and although the EPSS score is below 1%, we infer that the attack vector is likely through the web interface where the plugin accepts user input. No known static exploit is published and the flaw is not listed in CISA KEV, but the nature of SQL injection means that an attacker with access to the plugin’s configuration or edit pages could exploit the issue if the site does not enforce strict role permissions. The low EPSS does not negate the possibility of use, especially on popular sites with the mentioned vulnerable plugin versions.

Generated by OpenCVE AI on April 30, 2026 at 16:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Cube Portfolio plugin to version 1.16.9 or later when available
  • Verify that the plugin is disabled or removed from sites that are not actively using portfolio functionality
  • Implement role-based access controls to limit who can edit or configure the Cube Portfolio plugin

Generated by OpenCVE AI on April 30, 2026 at 16:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24797 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ovatheme Cube Portfolio allows SQL Injection. This issue affects Cube Portfolio: from n/a through 1.16.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ovatheme Cube Portfolio allows SQL Injection. This issue affects Cube Portfolio: from n/a through 1.16.8. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ovatheme Cube Portfolio cubeportfolio allows SQL Injection.This issue affects Cube Portfolio: from n/a through <= 1.16.8.
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Thu, 14 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ovatheme Cube Portfolio allows SQL Injection. This issue affects Cube Portfolio: from n/a through 1.16.8.
Title WordPress Cube Portfolio Plugin <= 1.16.8 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:33:01.257Z

Reserved: 2025-06-19T10:03:43.798Z

Link: CVE-2025-52823

cve-icon Vulnrichment

Updated: 2025-08-14T13:34:45.737Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:44.553

Modified: 2026-04-23T15:32:14.480

Link: CVE-2025-52823

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:45:26Z

Weaknesses