{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68034", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:01:03.747Z", "datePublished": "2026-01-22T16:52:05.046Z", "dateUpdated": "2026-04-28T16:14:27.026Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "cleverreach-wp", "product": "CleverReach\u00ae WP", "vendor": "CleverReach\u00ae", "versions": [{"changes": [{"at": "1.5.22", "status": "unaffected"}], "lessThanOrEqual": "1.5.21", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "0xd4rk5id3 | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:20.056Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CleverReach\u00ae CleverReach\u00ae WP cleverreach-wp allows SQL Injection.<p>This issue affects CleverReach\u00ae WP: from n/a through <= 1.5.21.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CleverReach\u00ae CleverReach\u00ae WP cleverreach-wp allows SQL Injection.This issue affects CleverReach\u00ae WP: from n/a through <= 1.5.21."}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:27.026Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/cleverreach-wp/vulnerability/wordpress-cleverreach-wp-plugin-1-5-22-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress CleverReach\u00ae WP plugin <= 1.5.21 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T17:28:18.136633Z", "id": "CVE-2025-68034", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:29:31.495Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68034", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T17:28:18.136633Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T17:27:59.831Z"}}], "cna": {"title": "WordPress CleverReach\u00ae WP plugin <= 1.5.21 - SQL Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "0xd4rk5id3 | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "CleverReach\u00ae", "product": "CleverReach\u00ae WP", "versions": [{"status": "affected", "changes": [{"at": "1.5.22", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.5.21"}], "packageName": "cleverreach-wp", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:20.056Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/cleverreach-wp/vulnerability/wordpress-cleverreach-wp-plugin-1-5-22-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CleverReach\u00ae CleverReach\u00ae WP cleverreach-wp allows SQL Injection.This issue affects CleverReach\u00ae WP: from n/a through <= 1.5.21.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CleverReach\u00ae CleverReach\u00ae WP cleverreach-wp allows SQL Injection.<p>This issue affects CleverReach\u00ae WP: from n/a through <= 1.5.21.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:55.759Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68034", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:29:31.495Z", "dateReserved": "2025-12-15T10:01:03.747Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:05.046Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CleverReach\u00ae CleverReach\u00ae WP cleverreach-wp allows SQL Injection.This issue affects CleverReach\u00ae WP: from n/a through <= 1.5.21."}, {"lang": "es", "value": "Vulnerabilidad de Neutralizaci\u00f3n Incorrecta de Elementos Especiales utilizados en un Comando SQL ('Inyecci\u00f3n SQL') en CleverReach\u00ae CleverReach\u00ae WP cleverreach-wp permite Inyecci\u00f3n SQL. Este problema afecta a CleverReach\u00ae WP: desde n/a hasta &lt;= 1.5.22."}], "id": "CVE-2025-68034", "lastModified": "2026-04-27T19:16:22.937", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:08.850", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/cleverreach-wp/vulnerability/wordpress-cleverreach-wp-plugin-1-5-22-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T09:53:43.281663+00:00", "value": {"mitigation_remediation": ["Update the CleverReach WP plugin to version 1.5.22 or later to eliminate the vulnerable code.", "If a patch cannot be applied immediately, restrict access to the plugin\u2019s forms and endpoints so that only administrators can interact with them, and consider disabling the plugin on sites that do not need it.", "Deploy a web application firewall rule to detect and block common SQL injection payloads targeting the plugin\u2019s endpoints."], "summary": {"action": "Immediate Patch", "impact": "Database Compromise"}, "threat_synthesis": {"affected_systems": "Any WordPress site running the CleverReach WP plugin version 1.5.21 or earlier is affected. The vulnerability applies regardless of the underlying operating system or WordPress core version, as the flaw exists in the plugin code itself.", "description_and_impact": "The CleverReach WP plugin contains an SQL injection flaw caused by improper neutralization of special characters in SQL statements (CWE\u201189). An attacker who can send crafted input to the vulnerable plugin endpoints can inject arbitrary SQL, potentially reading, modifying, or deleting data from the WordPress database. This compromise could expose sensitive content, disrupt site functionality, and undermine data integrity.", "risk_and_exploitability": "The CVSS score of 9.3 classifies the issue as critical. The EPSS score of <\u202f1\u202f% indicates that active exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is crafted HTTP requests to the plugin\u2019s input endpoints; this can be achieved by any user who can send requests to the site, though no additional authentication or privilege is required beyond this capability. The impact spans the entire database of the affected WordPress installation."}}}}, "created": "2026-01-23T16:30:56.673694+00:00", "updated": "2026-04-28T10:00:06.499504+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}