Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in themesuite Automotive Listings automotive allows Blind SQL Injection.This issue affects Automotive Listings: from n/a through <= 18.6.
Published: 2026-01-08
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Blind SQL Injection leading to data compromise
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is caused by improper neutralization of special characters in an SQL command, allowing blind SQL injection. An attacker could read or modify the content of the WordPress database, leading to confidentiality breaches and potential integrity damage. The weakness is a classic SQL Injection (CWE-89).

Affected Systems

The WordPress Automotive Listings plugin supplied by themesuite is affected for all versions up to and including 18.6. Users running these versions should verify the plugin version and consider upgrading. The vulnerability does not affect other WordPress components directly.

Risk and Exploitability

The CVSS score of 9.3 indicates high severity, and the EPSS score of less than 1% suggests a low, but not negligible, likelihood of exploitation in the wild. The vulnerability has not been listed in the CISA KEV catalog. Because it is a blind SQL injection that operates through the plugin’s web interface, the attack vector is from an external user with web access, likely without authentication. No special environment is required, so the window of opportunity is broad, but lack of immediate exploitation feedback means detection may be difficult.

Generated by OpenCVE AI on April 28, 2026 at 18:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Automotive Listings plugin to the latest available version (preferably 18.7 or later).
  • If an upgrade cannot be performed immediately, limit access to the plugin’s administrative areas with IP whitelisting or reverse proxy rules.
  • Deploy a web application firewall or similar input filtering to detect and block potentially malicious SQL statements targeting the plugin’s endpoints.

Generated by OpenCVE AI on April 28, 2026 at 18:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 08 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in themesuite Automotive Listings automotive allows Blind SQL Injection.This issue affects Automotive Listings: from n/a through <= 18.6.
Title WordPress Automotive Listings plugin <= 18.6 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:23.643Z

Reserved: 2025-12-15T09:59:49.437Z

Link: CVE-2025-67928

cve-icon Vulnrichment

Updated: 2026-01-08T14:54:29.412Z

cve-icon NVD

Status : Deferred

Published: 2026-01-08T10:15:51.863

Modified: 2026-04-27T18:16:49.987

Link: CVE-2025-67928

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:30:37Z

Weaknesses