CVE-2025-68990
xenioushk · BWL Pro Voting Manager
The BWL Pro Voting Manager plugin for WordPress, versions 1.4.9 and below, is vulnerable to Blind SQL Injection due to improper neutralization of special elements in SQL commands.
Executive summary
A Blind SQL Injection vulnerability in BWL Pro Voting Manager (<= 1.4.9) allows unauthorized attackers to extract sensitive database information.
Vulnerability
This is a Blind SQL Injection vulnerability resulting from improper input sanitization. It allows an attacker to influence database queries, potentially leading to the extraction of sensitive data from the WordPress database.
Business impact
Exploitation of this vulnerability could lead to the total compromise of the database, exposing sensitive user data, administrative credentials, or configuration details. Given the CVSS score of 9.8, this flaw poses a severe threat to the confidentiality and integrity of any website running the affected plugin.
Remediation
Immediate Action: Upgrade to the latest version of BWL Pro Voting Manager that explicitly includes a fix for this SQL injection vulnerability.
Proactive Monitoring: Review database query logs for suspicious patterns, such as unexpected use of UNION, SLEEP, or BENCHMARK functions.
Compensating Controls: Deploy a Web Application Firewall (WAF) with SQL injection protection enabled to filter malicious payloads targeting the plugin's parameters.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
Administrators must update the plugin immediately to mitigate the risk of data exfiltration. If an immediate update is not feasible, the plugin should be disabled or removed from the environment until such time as the vendor-supplied patch can be applied.