Menu

CVE-2025-2511 β€” SQL Injection

WordPress Plugin AHAthat β€” Discovered by Seckhmet

Vulnerability Information

CVE IDCVE-2025-2511
TypeSQL Injection (SQLi)
Affected ComponentWordPress Plugin AHAthat
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CVSS Score4.9 β€” Medium
Discovered bySeckhmet

Description

A SQL Injection vulnerability was identified in the WordPress plugin AHAthat. This flaw allows an attacker with administrator privileges (PR:H) to manipulate SQL queries and exfiltrate sensitive data from the WordPress database.

Although exploitation requires elevated rights, the impact on confidentiality is critical (C:H), potentially leading to the disclosure of user data, credentials, or sensitive information stored in the database.

CVSS Analysis

  • AV:N β€” Network vector: remotely exploitable
  • AC:L β€” Low complexity: direct exploitation
  • PR:H β€” High privileges required (administrator)
  • UI:N β€” No user interaction required
  • S:U β€” Unchanged scope
  • C:H / I:N / A:N β€” Critical impact on confidentiality

Recommendations

Update the AHAthat plugin to the patched version. Apply the principle of least privilege on WordPress administrator accounts. Use prepared statements for all database interactions on the developer side.