CVE-2025-14068
Unknown Unknown - Not Provided
Time-Based SQL Injection in WPNakama WordPress Plugin Allows Data Exposure

Publication date: 2025-12-12

Last updated on: 2025-12-12

Assigner: Wordfence

Description
The WPNakama plugin for WordPress is vulnerable to time-based SQL Injection via the 'order_by' parameter in all versions up to, and including, 0.6.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-12-12
EPSS Evaluated
2026-06-14
NVD
CVE-2025-14068
EUVD
EUVD-2025-203058
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence wpnakama *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a time-based SQL Injection in the WPNakama WordPress plugin (versions up to 0.6.3). It occurs because the 'order_by' parameter is not properly escaped or prepared in SQL queries, allowing unauthenticated attackers to inject additional SQL commands. This can be exploited to extract sensitive information from the database.

Impact Analysis

The vulnerability allows unauthenticated attackers to extract sensitive information from the database by injecting SQL queries. This can lead to data breaches, exposure of confidential data, and potential compromise of the affected WordPress site.

Compliance Impact

The vulnerability allows unauthenticated attackers to perform time-based SQL Injection to extract sensitive information from the database. This unauthorized data exposure could lead to violations of data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access and breaches. Therefore, exploitation of this vulnerability may result in non-compliance with these standards due to potential data leakage. [2, 3]

Detection Guidance

This vulnerability can be detected by monitoring for unusual or suspicious HTTP requests targeting the 'order_by' parameter in the WPNakama plugin's REST API endpoints, especially those attempting to inject SQL code. Since the vulnerability involves time-based SQL injection via the 'order_by' parameter, you can look for requests with unusual or unexpected SQL syntax in this parameter. For example, using network monitoring tools or web server logs, search for requests to endpoints like '/wp-json/wpnakama/v1/boards' with 'order_by' parameters containing SQL keywords or payloads. Example commands to detect such attempts include: 1. Using grep on web server logs: grep -i 'order_by=.*select' /var/log/apache2/access.log 2. Using tcpdump to capture HTTP traffic and filter for suspicious 'order_by' parameters: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'order_by=' 3. Using a web application firewall (WAF) or intrusion detection system (IDS) with rules to detect SQL injection patterns in query parameters. These methods help identify exploitation attempts by unauthenticated attackers trying to append SQL queries via the vulnerable parameter. [2, 3]

Mitigation Strategies

Immediate mitigation steps include: 1. Update the WPNakama plugin to a version later than 0.6.3 where the vulnerability is fixed (e.g., version 0.8.0 or later). 2. If updating is not immediately possible, restrict access to the vulnerable REST API endpoints by implementing access controls such as IP whitelisting or requiring authentication. 3. Employ a Web Application Firewall (WAF) to block requests containing suspicious SQL injection patterns, especially targeting the 'order_by' parameter. 4. Monitor logs for exploitation attempts and block offending IP addresses. 5. Review and apply any security patches or updates provided by the plugin maintainers. These steps help prevent unauthenticated attackers from exploiting the time-based SQL injection vulnerability to extract sensitive database information. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14068. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart