CVE-2025-5487
BaseFortify
Publication date: 2025-06-14
Last updated on: 2025-06-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-5487 is a time-based SQL Injection vulnerability in the AutomatorWP WordPress plugin (versions up to 5.2.3). It occurs because the plugin improperly sanitizes and constructs SQL queries based on user-supplied field_conditions parameters used in automation triggers for posts and users. Authenticated attackers with Administrator-level access or higher can exploit this flaw to append malicious SQL queries, potentially extracting sensitive information from the database. The vulnerability stems from unsafe SQL query construction in functions like automatorwp_utilities_parse_condition_to_sql, which do not sufficiently validate or escape input before building SQL statements. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with Administrator-level access or higher to perform unauthorized SQL queries on the WordPress database via the AutomatorWP plugin. This can lead to extraction of sensitive information, data leakage, and potentially full compromise of the database integrity and confidentiality. Since the plugin allows configuration to extend access to authors and higher, the attack surface may be broader depending on site configuration. The impact includes confidentiality, integrity, and availability risks as indicated by the CVSS score. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2025-5487 involves identifying if the vulnerable AutomatorWP plugin version (up to 5.2.3) is installed and if the 'all-posts' or 'all-users' triggers are configured with field_conditions or meta_conditions that could be exploited. Since the vulnerability requires authenticated Administrator-level access, monitoring for unusual SQL query patterns or unexpected database access related to these triggers can help. Specific commands could include checking the plugin version via WP-CLI: `wp plugin get automatorwp --field=version` and reviewing the plugin's triggers configuration in the WordPress admin or database. Additionally, monitoring database logs for suspicious SQL queries involving the field_conditions parameter may help detect exploitation attempts. However, no explicit detection commands are provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the AutomatorWP plugin to version 5.2.6 or later, where the vulnerability has been fixed by enhancing sanitization and validation of input fields and meta keys/values in SQL query construction. Until the update can be applied, restrict Administrator-level access to trusted users only, and avoid configuring or using the 'all-posts' and 'all-users' triggers with field_conditions or meta_conditions that accept user input. Monitoring and limiting access to the plugin's automation features can reduce risk. [1]