Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in xenioushk BWL Pro Voting Manager bwl-pro-voting-manager allows Blind SQL Injection.This issue affects BWL Pro Voting Manager: from n/a through <= 1.4.9.
Published: 2025-12-30
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper neutralization of special elements within SQL commands in the xenioushk BWL Pro Voting Manager plugin allows blind SQL injection. This flaw enables an attacker to execute arbitrary SQL statements against the database, potentially exfiltrating sensitive data, modifying vote counts, or elevating privileges. The weakness is a classic SQL injection (CWE‑89) which compromises confidentiality and integrity of data stored by the WordPress site.

Affected Systems

The vulnerability affects the BWL Pro Voting Manager WordPress plugin from any version up to and including 1.4.9. WordPress sites that have installed or enabled the plugin are at risk, regardless of the WordPress core version.

Risk and Exploitability

The CVSS score is 8.5, indicating a high severity. The EPSS score is below 1%, suggesting a low probability of being targeted currently, and the vulnerability is not listed in the CISA KEV catalog. The likely attack path involves submitting crafted voting requests through the plugin’s public endpoints, as the input fields are not properly sanitized. Successful exploitation would require network access to the WordPress site but does not depend on privileged credentials.

Generated by OpenCVE AI on April 29, 2026 at 15:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the BWL Pro Voting Manager plugin to version 1.5.0 or later to remove the injection flaw.
  • If an update cannot be applied immediately, consider disabling or uninstalling the BWL Pro Voting Manager plugin to eliminate the attack surface.
  • Deploy a web application firewall with SQL injection filters to detect and block suspicious payloads targeting the plugin’s endpoints.

Generated by OpenCVE AI on April 29, 2026 at 15:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 30 Dec 2025 23:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 30 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in xenioushk BWL Pro Voting Manager bwl-pro-voting-manager allows Blind SQL Injection.This issue affects BWL Pro Voting Manager: from n/a through <= 1.4.9.
Title WordPress BWL Pro Voting Manager plugin <= 1.4.9 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:33.768Z

Reserved: 2025-12-29T11:18:04.294Z

Link: CVE-2025-68990

cve-icon Vulnrichment

Updated: 2025-12-30T21:38:40.329Z

cve-icon NVD

Status : Deferred

Published: 2025-12-30T11:15:57.690

Modified: 2026-04-27T19:16:40.197

Link: CVE-2025-68990

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T15:15:14Z

Weaknesses