Description
The JS Archive List plugin for WordPress is vulnerable to time-based SQL Injection via the build_sql_where() function in all versions up to, and including, 6.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-08-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated SQL injection via build_sql_where
Action: Immediate Patch
AI Analysis

Impact

The JS Archive List plugin for WordPress contains a time‑based SQL injection flaw in the build_sql_where() function. The function fails to escape or prepare the user‑supplied parameter, allowing an unauthenticated attacker to append arbitrary SQL statements to the existing query. This can result in the disclosure of sensitive data from the database and potential further manipulation of database contents.

Affected Systems

All installations of the WordPress JS Archive List plugin from skatox, up to and including version 6.1.5, are affected. Any site using this plugin will be at risk if the current version is deployed.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity of the vulnerability. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the condition that it is not listed in the CISA KEV catalog further reduces the perceived threat. Nonetheless, because the flaw is exploitable by unauthenticated users via simple web requests, the risk remains tangible for any exposed installation. An attacker can construct time‑based SQL queries to confirm injection success and extract data from the database.

Generated by OpenCVE AI on April 21, 2026 at 19:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JS Archive List to any version newer than 6.1.5 to eliminate the injection vector.
  • If an upgrade is not immediately possible, remove or deactivate the plugin until a patched version is available.
  • After remediation, audit database integrity to detect any potential unauthorized changes and review other WordPress plugins for similar SQL handling issues.

Generated by OpenCVE AI on April 21, 2026 at 19:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28781 The JS Archive List plugin for WordPress is vulnerable to time-based SQL Injection via the build_sql_where() function in all versions up to, and including, 6.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Tue, 19 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 Aug 2025 07:45:00 +0000

Type Values Removed Values Added
Description The JS Archive List plugin for WordPress is vulnerable to time-based SQL Injection via the build_sql_where() function in all versions up to, and including, 6.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title JS Archive List <= 6.1.5 - Unauthenticated SQL Injection via build_sql_where Function
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:00:45.793Z

Reserved: 2025-07-14T22:10:34.837Z

Link: CVE-2025-7670

cve-icon Vulnrichment

Updated: 2025-08-19T13:18:36.132Z

cve-icon NVD

Status : Deferred

Published: 2025-08-19T08:15:30.527

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7670

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:30:06Z

Weaknesses