Platform
wordpress
Component
local-magic
Fixed in
2.9.1
CVE-2025-32636 identifies a SQL Injection vulnerability within the Local Magic WordPress plugin. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions 0.0.0 through 2.9.0 of the plugin, and a fix is available in version 2.9.1.
Successful exploitation of this SQL Injection vulnerability could grant an attacker complete control over the WordPress database. This includes the ability to read, modify, or delete sensitive information such as user credentials, post content, and configuration settings. An attacker could also leverage this access to escalate privileges, gain remote code execution on the server, or launch further attacks against other systems within the network. The potential for data exfiltration and system compromise is significant, particularly in environments where Local Magic is used to manage sensitive project data.
CVE-2025-32636 was publicly disclosed on April 17, 2025. The vulnerability's severity and ease of exploitation suggest a medium probability of exploitation (EPSS score likely medium). Public proof-of-concept (PoC) code is anticipated given the widespread use of WordPress and the relatively straightforward nature of SQL Injection attacks. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Exploit Status
EPSS
0.23% (46% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-32636 is to immediately upgrade the Local Magic plugin to version 2.9.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious SQL queries targeting vulnerable endpoints. Additionally, review and restrict database user permissions to limit the impact of a successful SQL Injection attack. Monitor WordPress logs for suspicious SQL activity and implement intrusion detection systems to identify and respond to potential exploitation attempts.
Update the Local Magic plugin to version 2.9.1 or higher to mitigate the SQL Injection vulnerability. Ensure you back up your website before updating any plugin. Verify that your database is updated and configured with security best practices.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-32636 is a critical SQL Injection vulnerability affecting Local Magic versions 0.0.0 through 2.9.0, allowing attackers to inject malicious SQL code and potentially gain unauthorized database access.
You are affected if you are using Local Magic versions 0.0.0 to 2.9.0. Immediately check your plugin version and upgrade if necessary.
Upgrade Local Magic to version 2.9.1 or later. Consider implementing a WAF rule as an interim measure if immediate upgrading is not possible.
While active exploitation is not yet confirmed, the vulnerability's severity and ease of exploitation suggest a medium probability of exploitation. Monitor security advisories for updates.
Refer to the Local Magic plugin website and WordPress.org plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.