CVE-2025-31424
BaseFortify
Publication date: 2025-06-09
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can allow attackers to steal or manipulate sensitive data stored in the database without authentication. This can result in data breaches, loss of data integrity, and potential disruption of service. Since the vulnerability has a high severity score (9.3), it poses a critical risk to affected websites. There is currently no official patch, so sites remain vulnerable unless mitigated by a virtual patch or other protective measures. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this SQL Injection vulnerability can involve monitoring for unusual or unauthorized SQL queries targeting the WP Lead Capturing Pages plugin endpoints. Since no specific detection commands are provided, general methods include using web application firewalls (WAF) with SQLi detection rules, inspecting web server logs for suspicious query parameters, and employing vulnerability scanners that test for SQL Injection. Additionally, applying the Patchstack virtual patch can help block exploitation attempts and may provide logging of blocked attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the Patchstack virtual patch (vPatch) released to block exploitation attempts until an official fix is available. It is also recommended to perform professional incident response and conduct server-side malware scanning if the site is suspected to be compromised. Since no official patch or fixed plugin version is currently available, these measures are critical to reduce risk. [1]
Can you explain this vulnerability to me?
This vulnerability is a Blind SQL Injection in the WordPress WP Lead Capturing Pages plugin (up to version 2.3). It allows unauthenticated attackers to inject and execute arbitrary SQL commands on the website's database by improperly neutralizing special elements in SQL commands. This can lead to unauthorized access to or manipulation of the database. [1]