CVE-2025-60062

mmetrodw · tPlayer

The tPlayer WordPress plugin is vulnerable to SQL injection, allowing unauthenticated attackers to manipulate database queries via improperly sanitized input.

Executive summary

A critical SQL injection vulnerability in the tPlayer plugin allows remote, unauthenticated attackers to compromise database integrity and potentially extract sensitive information.

Vulnerability

This is an SQL injection vulnerability where the application fails to properly neutralize special elements in SQL commands. The flaw is exploitable by unauthenticated users through the tplayer-html5-audio-player-with-playlist component.

Business impact

Successful exploitation of this vulnerability can lead to complete unauthorized access to the application’s backend database. Given the CVSS score of 9.4, this poses a severe risk of data breach, potential administrative account takeover, and significant reputational damage.

Remediation

Immediate Action: Cease use of the tPlayer plugin immediately or disable the affected audio player functionality until a vendor-supplied security patch is verified and applied.

Proactive Monitoring: Review database access logs for anomalous query patterns or unusual SQL syntax that may indicate automated injection attempts.

Compensating Controls: Deploy a Web Application Firewall (WAF) with specific rulesets designed to detect and block common SQL injection payloads targeting WordPress plugins.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The severity of this vulnerability necessitates immediate attention. Organizations utilizing the tPlayer plugin should verify if they are within the affected version range and prioritize removing or updating the component to prevent unauthorized database access.