Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in designthemes LMS lms allows SQL Injection.This issue affects LMS: from n/a through <= 9.2.
Published: 2025-07-04
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of special elements used in an SQL command, classified as a SQL injection flaw. An attacker who can submit crafted input through the LMS theme could inject arbitrary SQL statements into the database. This allows the attacker to read, modify, delete, or exfiltrate sensitive data, including user credentials, course content, and payment information, thereby compromising confidentiality, integrity, and potentially availability if disruptive queries are executed.

Affected Systems

The flaw affects the DesignThemes LMS WordPress theme, all installations running versions up to and including 9.2. Sites that have deployed this theme and have not yet applied a later version are potentially impacted.

Risk and Exploitability

The CVSS score of 9.3 reflects a high severity, and the EPSS value of < 1% suggests that while exploitation is not common, the vulnerability remains actionable. It is not listed in the CISA KEV catalog. The likely attack vector is remote, via crafted HTTP requests to the Wordpress site that process LMS input. Successful exploitation requires that the attacker can reach a form or endpoint that incorporates unsanitized user input into a database query.

Generated by OpenCVE AI on April 30, 2026 at 09:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LMS theme to a version newer than 9.2, ensuring the SQL injection fix is applied.
  • If an immediate upgrade is unavailable, configure the database user used by WordPress with the least privilege necessary and consider patching the theme manually to use parameterized queries.
  • Deploy a Web Application Firewall rule to detect and block requests containing suspicious SQL syntax patterns.
  • Temporarily restrict access to the LMS functionality or isolate the site behind additional security controls until a permanent fix is applied.

Generated by OpenCVE AI on April 30, 2026 at 09:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-20005 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in designthemes LMS allows SQL Injection. This issue affects LMS: from n/a through 9.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in designthemes LMS allows SQL Injection. This issue affects LMS: from n/a through 9.1. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in designthemes LMS lms allows SQL Injection.This issue affects LMS: from n/a through <= 9.2.
Title WordPress LMS <= 9.1 - SQL Injection Vulnerability WordPress LMS theme <= 9.2 - SQL Injection Vulnerability
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Mon, 07 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Jul 2025 11:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in designthemes LMS allows SQL Injection. This issue affects LMS: from n/a through 9.1.
Title WordPress LMS <= 9.1 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:20.151Z

Reserved: 2025-06-19T10:03:50.594Z

Link: CVE-2025-52833

cve-icon Vulnrichment

Updated: 2025-07-07T14:06:05.707Z

cve-icon NVD

Status : Deferred

Published: 2025-07-04T12:15:35.217

Modified: 2026-04-23T15:32:15.603

Link: CVE-2025-52833

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T10:00:16Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')