CVE-2025-28972
BaseFortify
Publication date: 2025-06-17
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-28972 is a high-severity SQL Injection vulnerability in the WordPress WP Employee Attendance System plugin (up to version 3.5). It allows a malicious actor with administrator privileges to perform Blind SQL Injection attacks, meaning they can manipulate the website's database by injecting malicious SQL commands without directly seeing the results. This can lead to unauthorized database interactions such as data theft or other manipulations. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with administrator access to interact directly with your website's database, potentially leading to data theft or unauthorized changes to your data. It poses a high risk (CVSS score 7.6) and could result in loss of sensitive information or disruption of your website's functionality. Since no official patch is available yet, immediate mitigation using a virtual patch is recommended to prevent exploitation. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the Patchstack virtual patch (vPatch) which automatically blocks attack attempts targeting this SQL Injection vulnerability until an official fix is released. Additionally, if you suspect your website has been compromised, engage professional incident response services or perform server-side malware scanning rather than relying solely on plugin-based malware scanners, as these can be tampered with. Patchstack recommends urgent action due to the high risk and likelihood of exploitation. [1]