{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6462", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-20T21:53:33.207Z", "datePublished": "2025-06-29T04:23:58.324Z", "dateUpdated": "2026-04-08T17:13:30.971Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:30.971Z"}, "affected": [{"vendor": "scheeeli", "product": "EZ SQL Reports Shortcode Widget and DB Backup", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.25.11", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's SQLREPORT shortcode in all versions up to, and including, 5.25.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "EZ SQL Reports Shortcode Widget and DB Backup <= 5.25.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via SQLREPORT Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a6811f19-07fb-4c05-977f-90f9c5d89bb4?source=cve"}, {"url": "https://wordpress.org/plugins/elisqlreports/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3318513/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "timeline": [{"time": "2025-06-21T16:22:24.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-06-28T16:21:52.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-30T15:53:17.299823Z", "id": "CVE-2025-6462", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-30T15:53:23.429Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6462", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-30T15:53:17.299823Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-30T15:53:20.762Z"}}], "cna": {"title": "EZ SQL Reports Shortcode Widget and DB Backup <= 5.25.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via SQLREPORT Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "scheeeli", "product": "EZ SQL Reports Shortcode Widget and DB Backup", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.25.11"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-21T16:22:24.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-06-28T16:21:52.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a6811f19-07fb-4c05-977f-90f9c5d89bb4?source=cve"}, {"url": "https://wordpress.org/plugins/elisqlreports/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3318513/"}], "descriptions": [{"lang": "en", "value": "The EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's SQLREPORT shortcode in all versions up to, and including, 5.25.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:30.971Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6462", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:13:30.971Z", "dateReserved": "2025-06-20T21:53:33.207Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-29T04:23:58.324Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ieonly:ez_sql_reports_shortcode_widget_and_db_backup:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "ED6D55DB-D201-4EF0-BDF5-7569964D9F05", "versionEndExcluding": "5.25.25", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's SQLREPORT shortcode in all versions up to, and including, 5.25.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento EZ SQL Reports Shortcode Widget y DB Backup para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del shortcode SQLREPORT del complemento en todas las versiones hasta la 5.25.11 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-6462", "lastModified": "2025-07-08T14:40:49.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-06-29T05:15:20.663", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3318513/"}, {"source": "security@wordfence.com", "tags": ["Product", "Release Notes"], "url": "https://wordpress.org/plugins/elisqlreports/#developers"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a6811f19-07fb-4c05-977f-90f9c5d89bb4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T20:24:08.166376+00:00", "value": {"mitigation_remediation": ["Update the EZ SQL Reports Shortcode Widget and DB Backup plugin to the latest available version that removes the SQLREPORT shortcode vulnerability.", "If an update is not yet available, deactivate or uninstall the plugin to eliminate the attack surface. If the plugin cannot be removed, consider disabling the SQLREPORT shortcode or preventing contributors from adding it.", "Review and, if possible, limit contributor role permissions so that they cannot add or modify shortcodes that execute arbitrary code. Configuring the plugin or using a role\u2011management plugin to restrict shortcode usage can mitigate the risk until a patch is applied."], "summary": {"action": "Patch Update", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Scheeeli\u2019s EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress is affected in all releases up to and including version 5.25.11. Users running those or earlier versions should check the vendor\u2019s plugin page for an updated release that fixes the vulnerability.", "description_and_impact": "The EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress has a stored cross\u2011site scripting flaw caused by insufficient input sanitization and output escaping on the SQLREPORT shortcode attributes. Specifically, contributors or higher-level users can embed arbitrary web scripts into pages, and those scripts are executed when any authenticated or unauthenticated visitor loads the affected page. This allows attackers to run client\u2011side code in the context of a legitimate user, potentially leading to session hijacking, defacement or other malicious actions.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.4, indicating moderate severity, and an EPSS score of less than 1%, reflecting a low projected exploitation probability in the general population. It is not listed in the CISA KEV catalog. Attackers must be authenticated with contributor-level or higher privileges to insert the malicious payload, after which the script will execute for any user who views the affected page."}}}}, "created": "2025-07-13T21:48:25.711247+00:00", "updated": "2026-04-20T20:30:16.070136+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}