Scan free
CRITICALCVE-2025-54726CVSS 9.3

CVE-2025-54726: SQL Injection in JS Archive List

Platform

wordpress

Component

jquery-archive-list-widget

Fixed in

6.1.7

AI Confidence: highNVDEPSS 0.9%Reviewed: May 2026
View on NVD
Save

CVE-2025-54726 describes a SQL Injection vulnerability discovered in JS Archive List, a jQuery widget. This flaw allows attackers to inject malicious SQL code, potentially gaining unauthorized access to sensitive data stored within the database. The vulnerability impacts versions from 0.0.0 up to and including 6.1.6. A patch has been released in version 6.1.6.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

Successful exploitation of this SQL Injection vulnerability could allow an attacker to bypass authentication mechanisms, read, modify, or delete sensitive data stored in the database. Depending on the database structure and permissions, an attacker might be able to escalate privileges and gain control over the entire WordPress installation. The impact is particularly severe if the database contains user credentials, financial information, or other confidential data. This vulnerability follows a common SQL Injection pattern, making it a high-priority target for automated scanning tools.

Exploitation Context

CVE-2025-54726 was publicly disclosed on 2025-08-20. The vulnerability's severity is rated as CRITICAL (CVSS 9.3). While no public proof-of-concept (PoC) code has been released, the ease of SQL Injection exploitation suggests a high probability of exploitation if left unpatched. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.92% (76% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L9.3CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentjquery-archive-list-widget
VendorMiguel Useche
Affected rangeFixed in
0.0.0 – 6.1.66.1.7

Package Information

Active installs
3KNiche
Plugin rating
4.8
Requires WordPress
4.7+
Compatible up to
6.9.4
Requires PHP
7.4+
Homepage

Weakness Classification (CWE)

CWE-89

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-54726 is to immediately upgrade JS Archive List to version 6.1.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious SQL queries targeting the vulnerable endpoint. Carefully review and sanitize all user inputs before incorporating them into SQL queries. Regularly audit database permissions to minimize the potential impact of a successful attack.

How to fix

Update the JS Archive List plugin to a version greater than 6.1.6 to mitigate the SQL Injection vulnerability. Check the plugin page on wordpress.org for the latest version available and follow the update instructions provided by the developer.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-54726 — SQL Injection in JS Archive List?

CVE-2025-54726 is a critical SQL Injection vulnerability affecting JS Archive List versions 0.0.0 through 6.1.6, allowing attackers to inject malicious SQL code.

Am I affected by CVE-2025-54726 in JS Archive List?

If you are using JS Archive List version 0.0.0 through 6.1.6 on your WordPress site, you are potentially affected by this vulnerability.

How do I fix CVE-2025-54726 in JS Archive List?

Upgrade JS Archive List to version 6.1.6 or later to resolve the SQL Injection vulnerability. Consider WAF rules as a temporary workaround.

Is CVE-2025-54726 being actively exploited?

While no confirmed exploitation is public, the vulnerability's severity and ease of exploitation suggest a high probability of active exploitation.

Where can I find the official JS Archive List advisory for CVE-2025-54726?

Refer to the official JS Archive List project website or relevant security forums for the latest advisory and updates regarding CVE-2025-54726.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs