A high-severity SQL Injection vulnerability, identified as CVE-2025-67950, has been discovered in multiple products from Syed Balkhi All In, specifically affecting the All In One SEO Pack. This flaw could allow an unauthenticated attacker to manipulate the website's database, potentially leading to the theft of sensitive information, such as user data and credentials, and compromising the integrity of the website's content.

The vulnerability is an Improper Neutralization of Special Elements used in an SQL Command, commonly known as SQL Injection. The All In One SEO Pack plugin fails to properly sanitize or validate user-supplied input before it is used to construct a database query. An attacker can exploit this by crafting a malicious input string containing SQL commands, which are then executed by the backend database. This specific flaw allows for Blind SQL Injection, where an attacker does not receive direct results from the database but can infer information by asking a series of true/false questions and observing the application's response, or by measuring the time it takes for the server to respond.

This vulnerability is rated as High severity with a CVSS score of 8.5. Successful exploitation could have a significant negative impact on the business. An attacker could exfiltrate sensitive data from the database, including customer personally identifiable information (PII), user credentials, and proprietary business data. This could result in severe reputational damage, loss of customer trust, financial losses from incident response, and potential regulatory fines under data protection laws like GDPR or CCPA. Furthermore, an attacker could potentially modify or delete data, disrupting business operations and compromising data integrity.

Immediate Action: The primary and most effective remediation is to apply the security patches provided by the vendor immediately across all affected installations. In addition, organizations should review database user permissions to ensure the web application's account operates with the principle of least privilege, limiting the potential damage of an exploit. Enabling detailed database query logging can also aid in detecting and investigating potential exploitation attempts.

Proactive Monitoring: Monitor web application firewall (WAF), web server, and database logs for suspicious patterns indicative of SQL injection attempts. Look for malformed requests, queries containing SQL keywords (e.g., SELECT, UNION, SLEEP), and an unusual number of database errors originating from the affected plugin's functionality. An increase in response times for specific pages could also indicate time-based blind SQL injection attempts.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with a robust ruleset configured to block SQL injection attacks. This can act as a virtual patch by inspecting incoming traffic and blocking malicious requests before they reach the vulnerable application. Restricting access to the application's administrative interfaces to trusted IP addresses can also reduce the attack surface.

Public Exploit Available: false

Given the high CVSS score of 8.5, this vulnerability presents a critical risk to the organization. We strongly recommend that all affected systems are patched immediately, prioritizing public-facing websites. Although CVE-2025-67950 is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity and the popularity of the affected software make it a prime target for future exploitation. The remediation plan should be executed without delay to prevent potential data breaches and operational disruption.