Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Potenzaglobalsolutions PGS Core pgs-core allows SQL Injection.This issue affects PGS Core: from n/a through <= 5.9.0.
Published: 2025-09-26
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The PGS Core plugin contains an SQL injection flaw that allows an attacker to execute arbitrary SQL queries by sending crafted input to the plugin’s database queries. This flaw arises from improper neutralization of special characters in user‑controllable data. The vulnerability can lead to disclosure of sensitive data, modification of stored information, or even deletion of database contents. The weakness is classified as CWE‑89. The CVSS score of 8.5 highlights its potential for serious impact.

Affected Systems

The vulnerability affects the WordPress PGS Core plugin from Potenzaglobalsolutions, in all versions from the earliest available up to and including 5.9.0. Any WordPress site that has the plugin installed in these releases is vulnerable.

Risk and Exploitability

The CVSS score of 8.5 marks this issue as high severity. With an EPSS lower than 1 %, the likelihood of current exploitation remains low, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to interact with the plugin’s input parameters, which are likely restricted to users with administrative or plugin‑management rights. Because the description does not state that unauthenticated users can trigger the flaw, it is inferred that privileged access is required, but the risk of compromise for sites with high‑level users remains significant.

Generated by OpenCVE AI on April 30, 2026 at 00:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the PGS Core plugin to any version newer than 5.9.0 once an update is released by Potenzaglobalsolutions.
  • If an update is not yet available, remove or deactivate the PGS Core plugin from the WordPress installation to eliminate the vulnerability.
  • Apply a web application firewall rule that blocks arbitrary SQL‑related payloads targeting the plugin’s endpoints, and use WordPress security plugins to restrict plugin configuration access to trusted administrators only.

Generated by OpenCVE AI on April 30, 2026 at 00:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31282 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Potenzaglobalsolutions PGS Core allows SQL Injection. This issue affects PGS Core: from n/a through 5.9.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Potenzaglobalsolutions PGS Core allows SQL Injection. This issue affects PGS Core: from n/a through 5.9.0. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Potenzaglobalsolutions PGS Core pgs-core allows SQL Injection.This issue affects PGS Core: from n/a through <= 5.9.0.
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Potenzaglobalsolutions PGS Core allows SQL Injection. This issue affects PGS Core: from n/a through 5.9.0.
Title WordPress PGS Core Plugin <= 5.9.0 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:55.180Z

Reserved: 2025-09-25T15:20:22.597Z

Link: CVE-2025-60118

cve-icon Vulnrichment

Updated: 2025-09-26T15:01:30.259Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T09:15:38.690

Modified: 2026-04-23T15:34:15.200

Link: CVE-2025-60118

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:15:23Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')