{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68053", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:01:11.954Z", "datePublished": "2025-12-16T08:12:59.596Z", "dateUpdated": "2026-04-28T16:14:27.776Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "top_bar_promoter", "product": "xPromoter", "vendor": "LambertGroup", "versions": [{"changes": [{"at": "1.3.5", "status": "unaffected"}], "lessThanOrEqual": "1.3.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:24:28.838Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup xPromoter top_bar_promoter allows Blind SQL Injection.<p>This issue affects xPromoter: from n/a through <= 1.3.4.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup xPromoter top_bar_promoter allows Blind SQL Injection.This issue affects xPromoter: from n/a through <= 1.3.4."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:27.776Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/top_bar_promoter/vulnerability/wordpress-xpromoter-plugin-1-3-4-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress xPromoter plugin <= 1.3.4 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-16T20:44:05.595491Z", "id": "CVE-2025-68053", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:30:06.366Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68053", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-16T20:44:05.595491Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-16T20:43:56.314Z"}}], "cna": {"title": "WordPress xPromoter plugin <= 1.3.4 - SQL Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "LambertGroup", "product": "xPromoter", "versions": [{"status": "affected", "changes": [{"at": "1.3.5", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.3.4"}], "packageName": "top_bar_promoter", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:24:28.838Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/top_bar_promoter/vulnerability/wordpress-xpromoter-plugin-1-3-4-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup xPromoter top_bar_promoter allows Blind SQL Injection.This issue affects xPromoter: from n/a through <= 1.3.4.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup xPromoter top_bar_promoter allows Blind SQL Injection.<p>This issue affects xPromoter: from n/a through <= 1.3.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:27.776Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68053", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:27.776Z", "dateReserved": "2025-12-15T10:01:11.954Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2025-12-16T08:12:59.596Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup xPromoter top_bar_promoter allows Blind SQL Injection.This issue affects xPromoter: from n/a through <= 1.3.4."}], "id": "CVE-2025-68053", "lastModified": "2026-04-27T19:16:23.433", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2025-12-16T09:16:00.930", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/top_bar_promoter/vulnerability/wordpress-xpromoter-plugin-1-3-4-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T10:13:19.605718+00:00", "value": {"mitigation_remediation": ["Upgrade the xPromoter plugin to a version that includes the patch, typically 1.3.5 or newer.", "Disable or uninstall the xPromoter plugin if upgrading is not feasible.", "Monitor database queries and logs for unusual activity that may indicate exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized data access via blind SQL injection"}, "threat_synthesis": {"affected_systems": "LambertGroup\u2019s xPromoter WordPress plugin versions up to 1.3.4 are affected. No other vendors or versions are listed. Users running these versions should verify the plugin version and consider upgrading.", "description_and_impact": "This vulnerability allows attackers to execute blind SQL injection through the LambertGroup xPromoter top_bar_promoter plugin, enabling unauthorized access to sensitive data. The flaw arises from improper neutralization of special elements in an SQL command, classified as CWE\u201189. Although the injection is blind, it permits manipulation of database queries without visible errors, potentially exposing confidential information.", "risk_and_exploitability": "The vulnerability has a CVSS score of 8.5, indicating high severity, while the EPSS score is less than 1%, reflecting a low probability of exploitation in the wild. The plugin is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an attacker who can reach the plugin\u2019s input fields\u2014typically through authenticated or privileged site access\u2014and construct SQL queries that exploit the input handling flaw. Because the injection is blind, the attacker may need to infer results via timing or other side\u2011channel techniques. The high severity warrants immediate remediation."}}}}, "created": "2025-12-16T17:09:12.561677+00:00", "updated": "2026-04-28T10:15:28.864087+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}