CVE-2025-28967
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-07-04

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Steve Truman Contact Us page - Contact people LITE contact-us-page-contact-people allows SQL Injection.This issue affects Contact Us page - Contact people LITE: from n/a through <= 3.7.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-04
Last Modified
2026-04-23
Generated
2026-05-07
AI Q&A
2025-07-04
EPSS Evaluated
2026-05-05
NVD
CVE-2025-28967
EUVD
EUVD-2025-19948
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an SQL Injection issue in the WordPress plugin 'Contact Us page - Contact people LITE' up to version 3.7.4. It allows a malicious actor with at least contributor-level privileges to manipulate the plugin's database by injecting malicious SQL commands. This can lead to unauthorized access or theft of data stored in the database. The vulnerability is classified under OWASP Top 10 category A3: Injection and has a high severity CVSS score of 8.5. [1]


How can this vulnerability impact me? :

If exploited, this vulnerability can allow attackers to access or steal sensitive data from your website's database without authorization. This could compromise user information and potentially lead to further attacks or data breaches. Although the likelihood of exploitation is considered low and the patch priority is low, the impact is high due to the potential for data exposure. Exploitation requires contributor-level privileges, so attackers would need some level of access to the site. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this SQL Injection vulnerability requires monitoring for unusual database interactions or attempts to exploit the Contact Us page - Contact people LITE plugin. Since exploitation requires contributor-level privileges, reviewing logs for suspicious contributor activity is recommended. However, plugin-based malware scanners may be unreliable for detecting this issue. No specific detection commands are provided in the available resources. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include applying virtual patching (vPatching) offered by Patchstack, which provides automatic protection against this vulnerability despite the absence of an official patch. Additionally, users should consider restricting contributor-level privileges to trusted users only and seek professional incident response services if compromise is suspected. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart