Scan free
CRITICALCVE-2025-32303CVSS 9.3

CVE-2025-32303: SQL Injection in WPCHURCH

Platform

wordpress

Component

wpchurch

Fixed in

2.7.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2025-32303 identifies a SQL Injection vulnerability within WPCHURCH, a Joomla extension. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized data access and manipulation. The vulnerability affects versions from n/a up to and including 2.7.0, with a fix available in version 2.7.1.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The SQL Injection vulnerability in WPCHURCH allows an attacker to craft malicious SQL queries that are executed against the database. Successful exploitation could lead to the extraction of sensitive information such as user credentials, financial data, and other confidential details stored within the WPCHURCH database. Furthermore, an attacker could potentially modify or delete data, leading to data integrity issues and disruption of service. The 'Blind SQL Injection' nature of the vulnerability means the attacker doesn't directly see the results of their queries, requiring more sophisticated techniques to extract data, but doesn't diminish the potential impact. This is similar to other SQL injection vulnerabilities where attackers use techniques like time-based injection to infer data.

Exploitation Context

CVE-2025-32303 was published on 2026-01-07. The vulnerability's severity is rated as CRITICAL (CVSS 9.3). As of this writing, there are no publicly known proof-of-concept exploits. It is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed, but the high severity warrants immediate attention and patching.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.04% (14% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L9.3CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentwpchurch
VendorMojoomla
Affected rangeFixed in
n/a – 2.7.02.7.1

Weakness Classification (CWE)

CWE-89

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-32303 is to immediately upgrade WPCHURCH to version 2.7.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. While a direct WAF rule is difficult to create for blind SQL injection, input validation and parameterized queries on the application layer can help reduce the attack surface. Review and restrict database user permissions to limit the potential damage from a successful injection. Monitor database logs for suspicious SQL queries that may indicate an ongoing attack.

How to fix

Actualice el plugin WPCHURCH a una versión corregida (superior a 2.7.0) para mitigar la vulnerabilidad de inyección SQL ciega. Consulte las notas de la versión del plugin para obtener instrucciones específicas de actualización y asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-32303 — SQL Injection in WPCHURCH?

CVE-2025-32303 is a critical SQL Injection vulnerability affecting WPCHURCH versions before 2.7.1, allowing attackers to potentially extract or modify data.

Am I affected by CVE-2025-32303 in WPCHURCH?

If you are using WPCHURCH versions from n/a up to and including 2.7.0, you are vulnerable to this SQL Injection flaw.

How do I fix CVE-2025-32303 in WPCHURCH?

Upgrade WPCHURCH to version 2.7.1 or later to resolve this vulnerability. Consider temporary workarounds if immediate upgrade is not possible.

Is CVE-2025-32303 being actively exploited?

As of now, there are no confirmed reports of active exploitation, but the high severity warrants immediate action.

Where can I find the official WPCHURCH advisory for CVE-2025-32303?

Refer to the official WPCHURCH website or Joomla extension directory for the latest security advisories and updates.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs