{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69304", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:02.742Z", "datePublished": "2026-02-20T15:46:47.349Z", "dateUpdated": "2026-04-28T20:46:53.269Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "allmart-core", "product": "Allmart", "vendor": "TeconceTheme", "versions": [{"lessThanOrEqual": "1.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:49.664Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Allmart allmart-core allows Blind SQL Injection.<p>This issue affects Allmart: from n/a through <= 1.1.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Allmart allmart-core allows Blind SQL Injection.This issue affects Allmart: from n/a through <= 1.1."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:37.019Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/allmart-core/vulnerability/wordpress-allmart-plugin-1-1-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Allmart plugin <= 1.1 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T19:23:44.971793Z", "id": "CVE-2025-69304", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T20:46:53.269Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69304", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-24T19:23:44.971793Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T19:24:05.175Z"}}], "cna": {"title": "WordPress Allmart plugin <= 1.1 - SQL Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "affected": [{"vendor": "TeconceTheme", "product": "Allmart", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.1"}], "packageName": "allmart-core", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:03:49.664Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/allmart-core/vulnerability/wordpress-allmart-plugin-1-1-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Allmart allmart-core allows Blind SQL Injection.This issue affects Allmart: from n/a through <= 1.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Allmart allmart-core allows Blind SQL Injection.<p>This issue affects Allmart: from n/a through <= 1.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:13:11.619Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69304", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:13:11.619Z", "dateReserved": "2025-12-31T20:12:02.742Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:47.349Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Allmart allmart-core allows Blind SQL Injection.This issue affects Allmart: from n/a through <= 1.1."}, {"lang": "es", "value": "Vulnerabilidad de Neutralizaci\u00f3n Incorrecta de Elementos Especiales utilizados en un Comando SQL ('Inyecci\u00f3n SQL') en TeconceTheme Allmart allmart-core permite Inyecci\u00f3n SQL Ciega. Este problema afecta a Allmart: desde n/a hasta &lt;= 1.1."}], "id": "CVE-2025-69304", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:18.397", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/allmart-core/vulnerability/wordpress-allmart-plugin-1-1-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Allmart", "source": "cna", "vendor": "TeconceTheme"}, "product": "allmart", "vendor": "teconcetheme"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T09:34:14.741846+00:00", "value": {"mitigation_remediation": ["Apply the official patch that updates Allmart to version 1.2 or later, which removes the vulnerable query paths.", "Ensure the WordPress database user has only the permissions required for the plugin and does not have super\u2011user rights to the database.", "Deploy network\u2011level restrictions or a web\u2011application firewall to limit which IP addresses or user agents can access the WordPress site, and consider rate\u2011limiting to detect and block excessive query attempts."], "summary": {"action": "Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "TeconceTheme Allmart Allmart\u2011core for WordPress is affected. Every installation that has a version number of 1.1 or earlier is vulnerable; versions newer than 1.1 are not listed as affected in the CVE description.", "description_and_impact": "The Allmart plugin for WordPress contains an improper neutralization of special elements in SQL commands, allowing a blind SQL injection flaw. This weakness is defined as CWE\u201189 and enables an attacker to embed malicious SQL fragments into database queries processed by the plugin. The potential impact includes unauthorized read or modification of the database, which can lead to data disclosure, corruption, or further compromise of the WordPress installation.", "risk_and_exploitability": "The vulnerability receives a CVSS score of 9.3, indicating critical severity. The EPSS score is below 1%, suggesting a very low but non\u2011zero likelihood of exploitation, and the issue is not listed in the CISA KEV catalog. It is inferred that the attack vector is remote, requiring an attacker to supply crafted input via HTTP requests to the plugin\u2019s endpoints. Successful exploitation would allow the attacker to perform blind SQL queries against the underlying database."}}}}, "created": "2026-02-23T14:37:40.686376+00:00", "updated": "2026-04-28T09:45:28.447145+00:00", "vendors": ["teconcetheme", "teconcetheme$PRODUCT$allmart", "wordpress", "wordpress$PRODUCT$wordpress"]}