Description
The EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's SQLREPORT shortcode in all versions up to, and including, 5.25.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-29
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Update
AI Analysis

Impact

The EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress has a stored cross‑site scripting flaw caused by insufficient input sanitization and output escaping on the SQLREPORT shortcode attributes. Specifically, contributors or higher-level users can embed arbitrary web scripts into pages, and those scripts are executed when any authenticated or unauthenticated visitor loads the affected page. This allows attackers to run client‑side code in the context of a legitimate user, potentially leading to session hijacking, defacement or other malicious actions.

Affected Systems

Scheeeli’s EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress is affected in all releases up to and including version 5.25.11. Users running those or earlier versions should check the vendor’s plugin page for an updated release that fixes the vulnerability.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.4, indicating moderate severity, and an EPSS score of less than 1%, reflecting a low projected exploitation probability in the general population. It is not listed in the CISA KEV catalog. Attackers must be authenticated with contributor-level or higher privileges to insert the malicious payload, after which the script will execute for any user who views the affected page.

Generated by OpenCVE AI on April 20, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the EZ SQL Reports Shortcode Widget and DB Backup plugin to the latest available version that removes the SQLREPORT shortcode vulnerability.
  • If an update is not yet available, deactivate or uninstall the plugin to eliminate the attack surface. If the plugin cannot be removed, consider disabling the SQLREPORT shortcode or preventing contributors from adding it.
  • Review and, if possible, limit contributor role permissions so that they cannot add or modify shortcodes that execute arbitrary code. Configuring the plugin or using a role‑management plugin to restrict shortcode usage can mitigate the risk until a patch is applied.

Generated by OpenCVE AI on April 20, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19548 The EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's SQLREPORT shortcode in all versions up to, and including, 5.25.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 08 Jul 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Ieonly
Ieonly ez Sql Reports Shortcode Widget And Db Backup
CPEs cpe:2.3:a:ieonly:ez_sql_reports_shortcode_widget_and_db_backup:*:*:*:*:*:wordpress:*:*
Vendors & Products Ieonly
Ieonly ez Sql Reports Shortcode Widget And Db Backup

Mon, 30 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 29 Jun 2025 04:45:00 +0000

Type Values Removed Values Added
Description The EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's SQLREPORT shortcode in all versions up to, and including, 5.25.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title EZ SQL Reports Shortcode Widget and DB Backup <= 5.25.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via SQLREPORT Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Ieonly Ez Sql Reports Shortcode Widget And Db Backup
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:13:30.971Z

Reserved: 2025-06-20T21:53:33.207Z

Link: CVE-2025-6462

cve-icon Vulnrichment

Updated: 2025-06-30T15:53:20.762Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-29T05:15:20.663

Modified: 2025-07-08T14:40:49.613

Link: CVE-2025-6462

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:30:16Z

Weaknesses