{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69309", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:02.742Z", "datePublished": "2026-02-20T15:46:48.321Z", "dateUpdated": "2026-04-28T20:47:42.255Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "saasplate-core", "product": "Saasplate Core", "vendor": "TeconceTheme", "versions": [{"lessThanOrEqual": "1.2.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:27.024Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Saasplate Core saasplate-core allows Blind SQL Injection.<p>This issue affects Saasplate Core: from n/a through <= 1.2.8.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Saasplate Core saasplate-core allows Blind SQL Injection.This issue affects Saasplate Core: from n/a through <= 1.2.8."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:37.170Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/saasplate-core/vulnerability/wordpress-saasplate-core-plugin-1-2-8-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Saasplate Core plugin <= 1.2.8 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T18:51:06.459607Z", "id": "CVE-2025-69309", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T20:47:42.255Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69309", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-24T18:51:06.459607Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T18:51:19.124Z"}}], "cna": {"title": "WordPress Saasplate Core plugin <= 1.2.8 - SQL Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "affected": [{"vendor": "TeconceTheme", "product": "Saasplate Core", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.2.8"}], "packageName": "saasplate-core", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:03:27.024Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/saasplate-core/vulnerability/wordpress-saasplate-core-plugin-1-2-8-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Saasplate Core saasplate-core allows Blind SQL Injection.This issue affects Saasplate Core: from n/a through <= 1.2.8.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Saasplate Core saasplate-core allows Blind SQL Injection.<p>This issue affects Saasplate Core: from n/a through <= 1.2.8.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:13:12.553Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69309", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:13:12.553Z", "dateReserved": "2025-12-31T20:12:02.742Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:48.321Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Saasplate Core saasplate-core allows Blind SQL Injection.This issue affects Saasplate Core: from n/a through <= 1.2.8."}, {"lang": "es", "value": "Vulnerabilidad de Neutralizaci\u00f3n Inadecuada de Elementos Especiales utilizados en un Comando SQL ('Inyecci\u00f3n SQL') en TeconceTheme Saasplate Core saasplate-core permite Inyecci\u00f3n SQL Ciega. Este problema afecta a Saasplate Core: desde n/a hasta &lt;= 1.2.8."}], "id": "CVE-2025-69309", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:19.137", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/saasplate-core/vulnerability/wordpress-saasplate-core-plugin-1-2-8-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Saasplate Core", "source": "cna", "vendor": "TeconceTheme"}, "product": "saasplate_core", "vendor": "teconcetheme"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-27T20:35:23.203459+00:00", "value": {"mitigation_remediation": ["Update Saasplate Core to a version newer than 1.2.8 or apply the vendor\u2019s official patch if available", "If an immediate update is not possible, block the plugin\u2019s endpoint with a web application firewall rule that rejects suspicious SQL patterns", "Restrict access to the plugin\u2019s administration pages so that only authorized users with the necessary privileges can reach the vulnerable code"], "summary": {"action": "Immediate Patch", "impact": "Blind SQL Injection enabling arbitrary data disclosure"}, "threat_synthesis": {"affected_systems": "The flaw affects the Saasplate Core plugin distributed by TeconceTheme, affecting all installed versions up to and including 1.2.8. Systems running these versions are susceptible unless the plugin is removed or patched.", "description_and_impact": "TeconceTheme Saasplate Core contains an SQL injection flaw that allows an attacker to inject malicious SQL statements into database queries. The vulnerability manifests as a blind injection, enabling the attacker to infer database content and potentially extract sensitive information such as usernames, passwords, and other stored data. The primary impact is unauthorized data exposure with the potential for further compromise of the WordPress site.", "risk_and_exploitability": "The CVSS score of 9.3 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not cataloged in CISA\u2019s KEV list. Based on the description, the attack vector is likely remote via the web interface that hosts the plugin, and authentication requirements are not specified, implying the attack could be carried out against publicly accessible instances. An attacker could send crafted SQL queries to the vulnerable endpoint and, through blind inference techniques, retrieve database contents."}}}}, "created": "2026-02-23T14:37:35.992508+00:00", "updated": "2026-04-27T20:45:12.704815+00:00", "vendors": ["teconcetheme", "teconcetheme$PRODUCT$saasplate_core", "wordpress", "wordpress$PRODUCT$wordpress"]}