Plattform
wordpress
Komponente
fable-extra
Behoben in
1.0.7
CVE-2025-46539 describes a critical SQL Injection vulnerability discovered in the Fable Extra WordPress plugin. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 through 1.0.6, and a patch is available in version 1.0.7.
The SQL Injection vulnerability in Fable Extra allows an attacker to bypass security measures and directly interact with the underlying database. Due to the blind nature of the injection, attackers must perform multiple queries to extract data bit by bit. This can be time-consuming but allows them to potentially retrieve sensitive information such as user credentials, plugin configurations, or other stored data. Successful exploitation could lead to complete compromise of the WordPress site and associated data. While blind SQL injection is less immediate than direct injection, it can still be highly damaging if left unaddressed.
CVE-2025-46539 was publicly disclosed on 2025-05-23. The vulnerability's blind SQL injection nature suggests a potentially lengthy exploitation process, but the CRITICAL CVSS score indicates significant risk. No public proof-of-concept exploits are currently known, but the ease of SQL injection exploitation means it is likely to become a target. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
WordPress sites utilizing the Fable Extra plugin, especially those running older versions (0.0.0–1.0.6), are at significant risk. Shared hosting environments where plugin updates are not managed by the site administrator are particularly vulnerable. Sites with sensitive data stored in the WordPress database are also at higher risk.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/fable-extra/• wordpress / composer / npm:
wp plugin list | grep fable-extra• wordpress / composer / npm:
wp plugin update fable-extra --all• generic web:
Inspect WordPress access logs for unusual SQL queries related to the Fable Extra plugin, particularly those involving SELECT statements and potentially long execution times.
disclosure
Exploit-Status
EPSS
0.23% (46% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-46539 is to immediately upgrade the Fable Extra plugin to version 1.0.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. While a direct WAF rule is difficult to implement for blind SQL injection, implementing strict input validation and parameterized queries within the plugin's code (if possible) can reduce the attack surface. Monitor WordPress access logs for suspicious SQL queries originating from the Fable Extra plugin.
Actualice el plugin Fable Extra a la última versión disponible para mitigar la vulnerabilidad de inyección SQL. Verifique las actualizaciones del plugin directamente en el panel de administración de WordPress o a través del repositorio oficial de WordPress.org.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-46539 is a critical SQL Injection vulnerability affecting the Fable Extra WordPress plugin, allowing attackers to potentially extract data through blind SQL injection.
If you are using Fable Extra version 0.0.0 through 1.0.6, you are affected by this vulnerability. Check your plugin version immediately.
Upgrade the Fable Extra plugin to version 1.0.7 or later to resolve the SQL Injection vulnerability. If immediate upgrade is not possible, disable the plugin temporarily.
While no public exploits are currently known, the CRITICAL severity and ease of SQL injection exploitation suggest it is likely to become a target. Monitor for signs of exploitation.
Refer to the official Fable Extra plugin documentation or the WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.