Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tiny Solutions Media Library Tools media-library-tools allows SQL Injection.This issue affects Media Library Tools: from n/a through <= 1.6.15.
Published: 2025-12-09
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of special elements used in an SQL command within the Media Library Tools plugin. An attacker can inject malicious SQL through user-supplied input, leading to unauthorized read, update, or delete operations in the database. The weakness corresponds to CWE-89 and can compromise both confidentiality and integrity of the WordPress site's data.

Affected Systems

The affected vendor is Tiny Solutions and the product is Media Library Tools, all releases up to and including version 1.6.15 are impacted.

Risk and Exploitability

The CVSS score of 7.6 indicates high severity, but the EPSS score of less than 1% suggests a very low but non‑zero probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely exploit it via a crafted HTTP request to the plugin’s endpoint, inserting malicious SQL into a parameter that the plugin fails to sanitize.

Generated by OpenCVE AI on April 29, 2026 at 19:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Media Library Tools plugin to version 1.6.16 or later, which contains the fix for the SQL injection issue.
  • If an update is not immediately possible, consider deactivating the plugin or restricting access to it until a patch is applied.
  • Configure a web application firewall to detect and block typical SQL injection payloads targeting the Media Library Tools endpoints.
  • Monitor server logs for unexpected query strings or repeated injection attempts, and investigate any anomalies promptly.

Generated by OpenCVE AI on April 29, 2026 at 19:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 11 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Tinysolutions
Tinysolutions media Library Tools
Wordpress
Wordpress wordpress
Vendors & Products Tinysolutions
Tinysolutions media Library Tools
Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tiny Solutions Media Library Tools media-library-tools allows SQL Injection.This issue affects Media Library Tools: from n/a through <= 1.6.15.
Title WordPress Media Library Tools plugin <= 1.6.15 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Tinysolutions Media Library Tools
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:19.827Z

Reserved: 2025-12-09T12:20:54.763Z

Link: CVE-2025-67520

cve-icon Vulnrichment

Updated: 2025-12-11T19:00:16.375Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:25.403

Modified: 2026-04-27T18:16:40.563

Link: CVE-2025-67520

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T19:45:18Z

Weaknesses