Description
Subscriber SQL Injection in Unicamp <= 2.2.2 versions.
Published: 2026-07-02
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Unicamp theme for WordPress contains a flaw that allows an attacker to inject arbitrary SQL through the subscription interface. The input is improperly sanitized, permitting malicious SQL fragments to be appended to the query used when storing subscriber data. Exploiting this weakness can lead to unauthorized read, modification, or deletion of database records, potentially exposing sensitive user information or defacing the site.

Affected Systems

WordPress installations running the Unicamp theme version 2.2.2 or earlier. The theme is supplied by the vendor ThemeMove under the product name Unicamp.

Risk and Exploitability

The CVSS score of 8.5 classifies the vulnerability as Critical. No EPSS score is currently available, but the lack of a KEV listing does not diminish the risk for sites that host the vulnerable theme. The likely attack vector is remote, with the attacker sending a crafted request to the subscription form accessible to any visitor. Successful exploitation would require the theme to process the input without enforcing proper escaping or prepared statements, which the current releases do not.

Generated by OpenCVE AI on July 2, 2026 at 15:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Unicamp theme to the latest version that includes the SQL injection fix.
  • If an upgrade is not immediately possible, temporarily disable the subscription feature or remove the theme's subscriber form until a patch is applied.
  • Audit the site's input handling and database queries for other unsanitized parameters, and enforce prepared statements or parameterized queries.

Generated by OpenCVE AI on July 2, 2026 at 15:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Subscriber SQL Injection in Unicamp <= 2.2.2 versions.
Title WordPress Unicamp theme <= 2.2.2 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T14:54:16.860Z

Reserved: 2025-12-29T11:19:21.660Z

Link: CVE-2025-69094

cve-icon Vulnrichment

Updated: 2026-07-02T14:54:13.079Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T15:45:16Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')