{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67921", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T09:59:49.436Z", "datePublished": "2026-01-08T09:17:46.911Z", "dateUpdated": "2026-04-28T16:14:23.676Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "lobo", "product": "Lobo", "vendor": "VanKarWai", "versions": [{"changes": [{"at": "2.8.6", "status": "unaffected"}], "lessThanOrEqual": "2.8.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:22:35.066Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VanKarWai Lobo lobo allows Blind SQL Injection.<p>This issue affects Lobo: from n/a through < 2.8.6.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VanKarWai Lobo lobo allows Blind SQL Injection.This issue affects Lobo: from n/a through < 2.8.6."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:23.676Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/lobo/vulnerability/wordpress-lobo-theme-2-8-6-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Lobo theme < 2.8.6 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T18:03:07.546525Z", "id": "CVE-2025-67921", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:03:09.978Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-67921", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T18:03:07.546525Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T14:55:20.811Z"}}], "cna": {"title": "WordPress Lobo theme < 2.8.6 - SQL Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "VanKarWai", "product": "Lobo", "versions": [{"status": "affected", "changes": [{"at": "2.8.6", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.8.6"}], "packageName": "lobo", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:22:35.066Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/lobo/vulnerability/wordpress-lobo-theme-2-8-6-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VanKarWai Lobo lobo allows Blind SQL Injection.This issue affects Lobo: from n/a through < 2.8.6.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VanKarWai Lobo lobo allows Blind SQL Injection.<p>This issue affects Lobo: from n/a through < 2.8.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:23.676Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67921", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:23.676Z", "dateReserved": "2025-12-15T09:59:49.436Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-08T09:17:46.911Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VanKarWai Lobo lobo allows Blind SQL Injection.This issue affects Lobo: from n/a through < 2.8.6."}], "id": "CVE-2025-67921", "lastModified": "2026-04-27T18:16:49.207", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-08T10:15:51.100", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/lobo/vulnerability/wordpress-lobo-theme-2-8-6-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:18:54.152226+00:00", "value": {"mitigation_remediation": ["Upgrade the Lobo theme to version 2.8.6 or later immediately.", "If an upgrade is not feasible, deactivate or remove the Lobo theme from the site to eliminate the attack surface.", "Implement input validation and parameterized queries on any custom code that interacts with the database to avoid repeating this weakness."], "summary": {"action": "Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "Affected are installations of the Lobo theme from VanKarWai, specifically versions from the first release through any version prior to 2.8.6. Any WordPress site using those theme versions is vulnerable unless the theme has been updated beyond the stated cutoff.", "description_and_impact": "The vulnerability is an Improper Neutralization of Special Elements used in an SQL Command, classified as CWE-89, that allows blind SQL injection in the VanKarWai Lobo WordPress theme. Attackers could manipulate untrusted input to alter SQL queries, potentially extracting sensitive data or modifying database contents. The worst\u2011case impact is data compromise and, depending on the database environment, possible elevation of privileges or execution of arbitrary code if the injected payload is later interpreted as a statement with elevated rights.", "risk_and_exploitability": "The CVSS score of 8.5 indicates high severity, while the EPSS score of less than 1% suggests that the likelihood of a successful exploit is low but not impossible. The vulnerability is not listed in CISA\u2019s KEV catalog, implying no known widespread exploitation at present. The attack vector is inferred to be via web\u2011based inputs processed by the theme\u2014such as forum posts, comments, or custom forms\u2014where malicious payloads can be injected into SQL queries."}}}}, "created": "2026-01-09T13:25:00.405931+00:00", "updated": "2026-04-28T18:30:37.322842+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}