{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12502", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2025-10-30T09:01:05.379Z", "datePublished": "2025-11-20T06:00:02.985Z", "dateUpdated": "2026-04-02T12:39:51.836Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:51.836Z"}, "title": "Attention Bar <= 0.7.2.1 - Admin+ SQLi", "problemTypes": [{"descriptions": [{"description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "attention-bar", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThanOrEqual": "0.7.2.1"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "The attention-bar WordPress plugin through 0.7.2.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users such as administrator to perform SQL injection attacks"}], "references": [{"url": "https://wpscan.com/vulnerability/75e63134-4c8a-45fd-b7fc-db40644ddb8c/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Yousof Nahya", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"references": [{"url": "https://wpscan.com/vulnerability/75e63134-4c8a-45fd-b7fc-db40644ddb8c/", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-11-20T14:32:50.833313Z", "id": "CVE-2025-12502", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-20T14:32:54.501Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-12502", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-20T14:32:50.833313Z"}}}], "references": [{"url": "https://wpscan.com/vulnerability/75e63134-4c8a-45fd-b7fc-db40644ddb8c/", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-20T14:32:41.652Z"}}], "cna": {"title": "Attention Bar <= 0.7.2.1 - Admin+ SQLi", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Yousof Nahya"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "attention-bar", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.7.2.1"}], "defaultStatus": "unknown"}], "references": [{"url": "https://wpscan.com/vulnerability/75e63134-4c8a-45fd-b7fc-db40644ddb8c/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The attention-bar WordPress plugin through 0.7.2.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users such as administrator to perform SQL injection attacks"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-89 SQL Injection"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:51.836Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12502", "state": "PUBLISHED", "dateUpdated": "2026-04-02T12:39:51.836Z", "dateReserved": "2025-10-30T09:01:05.379Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2025-11-20T06:00:02.985Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The attention-bar WordPress plugin through 0.7.2.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users such as administrator to perform SQL injection attacks"}], "id": "CVE-2025-12502", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-11-20T15:17:23.230", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/75e63134-4c8a-45fd-b7fc-db40644ddb8c/"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://wpscan.com/vulnerability/75e63134-4c8a-45fd-b7fc-db40644ddb8c/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred"}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T10:22:13.270479+00:00", "value": {"mitigation_remediation": ["Upgrade the Attention Bar plugin to the latest available version that addresses this vulnerability.", "If an immediate update is not feasible, temporarily disable the Attention Bar plugin to block the vulnerable functionality.", "Deploy a web application firewall or implement input validation to block potential SQL injection attempts against remaining admin\u2011only endpoints."], "summary": {"action": "Apply Update", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "WordPress installations that use the Attention Bar plugin version 0.7.2.1 or earlier are affected. The plugin is distributed under the Unknown:attention-bar vendor ID, so any site that has installed or upgraded to the affected version is at risk.", "description_and_impact": "The Attention Bar WordPress plugin does not sanitize and escape a user supplied parameter before it is used in a SQL statement. This omission allows administrators, who have high level privileges on the site, to inject arbitrary SQL code. As a result, an attacker with admin access can read, modify or delete data stored in the WordPress database, potentially compromising the confidentiality, integrity and availability of the site.", "risk_and_exploitability": "The CVSS score of 6.8 classifies this vulnerability as moderate severity, and the EPSS score of less than 1 percent suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated administrators to exploit the flaw, so the attack vector is limited to privileged users of the site. However, once executed, the injected SQL commands can give the attacker full control over the plugin\u2019s database data."}}}}, "created": "2025-11-21T09:16:10.737684+00:00", "updated": "2026-04-28T10:30:29.015480+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"], "weaknesses": ["CWE-89"]}