{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69305", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:02.742Z", "datePublished": "2026-02-20T15:46:47.544Z", "dateUpdated": "2026-04-28T20:47:02.640Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "crete-core", "product": "Crete Core", "vendor": "TeconceTheme", "versions": [{"lessThanOrEqual": "1.4.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:49.957Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Crete Core crete-core allows Blind SQL Injection.<p>This issue affects Crete Core: from n/a through <= 1.4.3.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Crete Core crete-core allows Blind SQL Injection.This issue affects Crete Core: from n/a through <= 1.4.3."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:37.078Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/crete-core/vulnerability/wordpress-crete-core-plugin-1-4-3-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Crete Core plugin <= 1.4.3 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T19:26:46.395691Z", "id": "CVE-2025-69305", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T20:47:02.640Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69305", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-24T19:26:46.395691Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T19:27:04.892Z"}}], "cna": {"title": "WordPress Crete Core plugin <= 1.4.3 - SQL Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "affected": [{"vendor": "TeconceTheme", "product": "Crete Core", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.4.3"}], "packageName": "crete-core", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:03:49.957Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/crete-core/vulnerability/wordpress-crete-core-plugin-1-4-3-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Crete Core crete-core allows Blind SQL Injection.This issue affects Crete Core: from n/a through <= 1.4.3.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Crete Core crete-core allows Blind SQL Injection.<p>This issue affects Crete Core: from n/a through <= 1.4.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:13:11.783Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69305", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:13:11.783Z", "dateReserved": "2025-12-31T20:12:02.742Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:47.544Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Crete Core crete-core allows Blind SQL Injection.This issue affects Crete Core: from n/a through <= 1.4.3."}, {"lang": "es", "value": "Vulnerabilidad de Neutralizaci\u00f3n Incorrecta de Elementos Especiales utilizados en un Comando SQL ('inyecci\u00f3n SQL') en TeconceTheme Crete Core crete-core permite Inyecci\u00f3n SQL Ciega. Este problema afecta a Crete Core: desde n/a hasta &lt;= 1.4.3."}], "id": "CVE-2025-69305", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:18.573", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/crete-core/vulnerability/wordpress-crete-core-plugin-1-4-3-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Crete Core", "source": "cna", "vendor": "TeconceTheme"}, "product": "crete_core", "vendor": "teconcetheme"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-27T20:36:51.846158+00:00", "value": {"mitigation_remediation": ["Update the Crete Core plugin to a version newer than 1.4.3 as soon as possible.", "If an immediate update is not possible, deactivate the Crete Core plugin to remove the exploit surface.", "Deploy a Web Application Firewall rule set that blocks or sanitizes potential SQL injection payloads targeting WordPress, such as filtering suspicious query strings or SQL keywords.", "Monitor database and WordPress audit logs for unauthorized queries or unexpected changes."], "summary": {"action": "Patch Immediately", "impact": "Data Breach"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Crete Core plugin version 1.4.3 or earlier are affected. The flaw exists in all releases up to and including 1.4.3, so any site using these versions must be verified and updated.", "description_and_impact": "The TeconceTheme Crete Core WordPress plugin contains a blind SQL injection flaw that allows a crafted request to execute arbitrary SQL commands. This vulnerability can lead to reading, modifying, or deleting database data, potentially exposing sensitive information or compromising site integrity.", "risk_and_exploitability": "The CVSS score of 9.3 signals critical severity, while the EPSS score of less than 1% indicates that exploits are currently rare. The vulnerability is not listed in the CISA KEV catalog, but the impact is severe if the blind injection is leveraged. Attackers would need to send a crafted request to a Crete Core endpoint; inference suggests the attack vector is via malicious HTTP requests that inject unsanitized SQL fragments. Given the database privileges granted by the plugin, exploitation could expose user data or alter site content."}}}}, "created": "2026-02-23T14:37:39.588500+00:00", "updated": "2026-04-27T20:45:12.705509+00:00", "vendors": ["teconcetheme", "teconcetheme$PRODUCT$crete_core", "wordpress", "wordpress$PRODUCT$wordpress"]}