Description
The Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App plugin for WordPress is vulnerable to SQL Injection via the nh_ynaa_comments() function in all versions up to, and including, 0.8.8.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-10-03
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated SQL Injection allowing data extraction
Action: Immediate Patch
AI Analysis

Impact

Blappsta Mobile App Plugin, a WordPress add‑on for iPhone and Android, contains an unchecked SQL Injection flaw in the nh_ynaa_comments() function. Unsanitized user input is concatenated into a database query without proper escaping or prepared statements, enabling any visitor to inject SQL code. Successful exploitation allows attackers to append or replace statements in the existing query, thereby exfiltrating rows from the database, potentially exposing user credentials, content, or proprietary data. The vulnerability is classified as CWE-89 and results in a high severity CVSS score of 7.5.

Affected Systems

This vulnerability affects the Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App for WordPress, versions up to and including 0.8.8.8. The plugin is identified under the nebelhorn:Blappsta Mobile App Plugin product line and is distributed via the WordPress plugin repository. Any WordPress site that has installed the plugin before the release of 0.8.8.9 (or a later fixed version) is susceptible to the flaw.

Risk and Exploitability

The CVSS score of 7.5 denotes a high‑severity vulnerability with significant impact. The EPSS score of less than 1% indicates a very low probability of exploitation in the wild at present, and the issue has not been listed in CISA’s KEV catalog. However, the flaw allows unauthenticated SQL injection through the plugin’s exposed endpoint; the likely attack vector involves sending a crafted HTTP request that injects SQL code into the nh_ynaa_comments() function, enabling the attacker to read sensitive data from the database and potentially compromise confidentiality and integrity of the affected site.

Generated by OpenCVE AI on April 21, 2026 at 02:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Blappsta Mobile App Plugin to the newest available release that addresses the flaw.
  • If an update is not yet available, turn the plugin off or delete it to remove the vulnerable code.
  • If the site has custom PHP code that interacts with the database, refactor it to use prepared statements or a proper ORM to avoid unsanitized input.
  • Deploy a WAF rule that detects typical SQL injection payloads targeting the plugin’s endpoint, and monitor request logs for failed login attempts or unusual query patterns.

Generated by OpenCVE AI on April 21, 2026 at 02:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32262 The Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App plugin for WordPress is vulnerable to SQL Injection via the nh_ynaa_comments() function in all versions up to, and including, 0.8.8.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Nebelhorn
Nebelhorn blappsta Mobile App Plugin
Wordpress
Wordpress wordpress
Vendors & Products Nebelhorn
Nebelhorn blappsta Mobile App Plugin
Wordpress
Wordpress wordpress

Fri, 03 Oct 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Oct 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App plugin for WordPress is vulnerable to SQL Injection via the nh_ynaa_comments() function in all versions up to, and including, 0.8.8.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App <= 0.8.8.8 - Unauthenticated SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Nebelhorn Blappsta Mobile App Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:09:14.810Z

Reserved: 2025-08-19T17:29:18.524Z

Link: CVE-2025-9200

cve-icon Vulnrichment

Updated: 2025-10-03T18:15:49.696Z

cve-icon NVD

Status : Deferred

Published: 2025-10-03T12:15:46.717

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9200

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:45:25Z

Weaknesses