CVE-2025-5287
Unauthenticated SQL injection vulnerability in Likes and Dislikes Plugin plugin for WordPress
Overview
A high severity unauthenticated SQL injection vulnerability is present in Likes and Dislikes Plugin for WordPress. The vulnerability arises due to deficient escaping on user derived parameters and insufficient preparation on SQL queries.
Technical Details
The vulnerability is exploitable via 'post' parameter in versions up to and including 1.0.0. This allows unauthenticated attackers to supplement additional SQL queries to existing ones, paving ways for extraction of sensitive information.
CVSS Metrics
- attack_vector: NETWORK
- attack_complexity: LOW
- privilegesRequired: NONE
- userInteraction: NONE
- scope: UNCHANGED
- confidentialityImpact: HIGH
- integrityImpact: NONE
- availabilityImpact: NONE
Impact
The vulnerability could allow unauthenticated attackers to conduct SQL Injection attacks, potentially leading to the exposure of sensitive information from the database.
Recommendations
Update the Likes and Dislikes Plugin to the latest version or disable the plugin if updates are not available. Employ web application firewalls that can detect and block SQL injection attempts.
Threat Metrics
- cvss_score: 7.5
- severity: HIGH
- attack_vector: NETWORK
- attack_complexity: LOW