Plattform
wordpress
Komponente
modal-survey
Behoben in
2.0.3
CVE-2025-39471 describes a SQL Injection vulnerability discovered in the Modal Survey WordPress plugin. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 through 2.0.2.0.1, but a fix is available in version 2.0.3.
Successful exploitation of this SQL Injection vulnerability could grant an attacker complete control over the WordPress database. They could extract sensitive user data (usernames, passwords, email addresses), modify existing data, or even delete entire tables. The impact extends beyond data theft; an attacker could potentially use the compromised database to gain a foothold on the entire WordPress server, leading to further attacks and system compromise. This vulnerability resembles other SQL Injection attacks where attackers leverage database queries to bypass security controls and access restricted information.
CVE-2025-39471 was publicly disclosed on 2025-04-18. The CVSS score of 9.3 (CRITICAL) indicates a high probability of exploitation. While no public proof-of-concept (PoC) code has been released at the time of this writing, the severity of the vulnerability and the ease of SQL Injection exploitation suggest that a PoC is likely to emerge. It is not currently listed on CISA KEV, but its criticality warrants close monitoring.
WordPress websites utilizing the Modal Survey plugin, particularly those running older versions (0.0.0–2.0.2.0.1), are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially expose data from others. Sites with weak database user permissions are also at increased risk.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/modal-survey/• generic web:
curl -I 'https://your-wordpress-site.com/wp-content/plugins/modal-survey/endpoint.php?param='; # Check for SQL injection indicators in response headersdisclosure
Exploit-Status
EPSS
0.23% (46% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade the Modal Survey plugin to version 2.0.3 or later. If an upgrade is not feasible due to compatibility issues or downtime concerns, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious SQL queries targeting the vulnerable endpoints. Specifically, look for patterns indicative of SQL injection attempts, such as the use of single quotes, double quotes, semicolons, or SQL keywords. Additionally, review and restrict database user permissions to limit the potential damage from a successful attack. After upgrading, confirm the fix by attempting a SQL injection attack on the vulnerable endpoint and verifying that it is blocked.
Actualice el plugin Modal Survey a la última versión disponible para mitigar la vulnerabilidad de inyección SQL. Verifique la fuente oficial del plugin (Codecanyon) para obtener la versión más reciente y las instrucciones de actualización. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de aplicar cualquier actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-39471 is a critical SQL Injection vulnerability affecting the Modal Survey WordPress plugin, allowing attackers to inject malicious SQL code and potentially access sensitive data.
You are affected if you are using Modal Survey plugin versions 0.0.0 through 2.0.2.0.1. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the Modal Survey plugin to version 2.0.3 or later. If immediate upgrade is not possible, implement a WAF rule to filter malicious SQL queries.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of future attacks.
Refer to the Modal Survey plugin's official website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.