CVE-2025-14770
SQL Injection in Shipping Rate By Cities WordPress Plugin
Publication date: 2026-01-14
Last updated on: 2026-01-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | shipping_rate_by_cities | to 2.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can allow an unauthenticated attacker to extract sensitive information from the website's database by injecting malicious SQL queries through the 'city' parameter. This could lead to data leakage, exposing confidential data stored in the database without authorization. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to perform SQL Injection attacks that can extract sensitive information from the database. Such unauthorized data access can lead to breaches of personal or sensitive data, potentially violating compliance requirements under standards like GDPR and HIPAA, which mandate protection of sensitive information and proper data security measures. [1]
Can you explain this vulnerability to me?
This vulnerability is an SQL Injection in the Shipping Rate By Cities WordPress plugin (up to version 2.0.0). It occurs because the plugin does not properly escape or prepare the 'city' parameter in its SQL queries. This allows unauthenticated attackers to inject malicious SQL code into the database queries, potentially extracting sensitive information from the database. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests to the Shipping Rate By Cities plugin, specifically looking for SQL injection attempts via the 'city' parameter. You can use network monitoring tools like tcpdump or Wireshark to capture HTTP traffic and grep for suspicious 'city' parameter values containing SQL syntax (e.g., quotes, OR, AND, UNION). Additionally, you can use curl commands to test the plugin endpoint by injecting SQL payloads in the 'city' parameter and observing the response for errors or unexpected data. Example curl command: curl -G 'http://yourwordpresssite.com/wp-admin/admin-ajax.php' --data-urlencode "city=' OR 1=1--". Also, scanning the WordPress database queries or logs for anomalies related to city parameter usage can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling the Shipping Rate By Cities plugin until a patched version is available, or restricting access to the plugin's endpoints to trusted users only. Additionally, you can implement Web Application Firewall (WAF) rules to block SQL injection patterns targeting the 'city' parameter. Reviewing and sanitizing inputs in the plugin code to use prepared statements instead of direct SQL interpolation is a long-term fix. Monitoring logs for suspicious activity and applying principle of least privilege to database users can also reduce risk. [1]