CVE-2025-68034
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-04-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cleverreach | cleverreach_wp | to 1.5.22 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68034 is a high-priority SQL Injection vulnerability in the WordPress CleverReach® WP Plugin versions up to and including 1.5.22. It allows unauthenticated attackers to execute arbitrary SQL queries directly on the database by improperly neutralizing special elements used in SQL commands. This can lead to unauthorized access and manipulation of the database. [1]
How can this vulnerability impact me? :
This vulnerability can lead to data theft and other malicious interactions with the database, such as unauthorized data modification or deletion. Because attackers can execute arbitrary SQL queries without authentication, it poses a critical risk to the confidentiality, integrity, and availability of your data and website. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this SQL Injection vulnerability can be performed by monitoring for unusual or unauthorized SQL queries targeting the CleverReach WP plugin endpoints. Since no specific detection commands are provided, users should look for suspicious HTTP requests containing SQL syntax or payloads in web server logs. Additionally, applying the Patchstack mitigation rule can help identify and block exploitation attempts automatically. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying the Patchstack mitigation rule released to block attacks exploiting this vulnerability until an official patch is available. Users should implement this mitigation immediately to protect their websites. Since no official fix or patched version is currently available, applying this rule is the recommended protective measure. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to execute arbitrary SQL queries, potentially leading to data theft and unauthorized access to sensitive information. Such data breaches can result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data. Therefore, this SQL Injection vulnerability poses a significant risk to compliance with these standards. [1]