Platform
wordpress
Component
modal-survey
Fixed in
2.0.3
CVE-2025-39471 describes a SQL Injection vulnerability discovered in the Modal Survey WordPress plugin. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 through 2.0.2.0.1, but a fix is available in version 2.0.3.
Successful exploitation of this SQL Injection vulnerability could grant an attacker complete control over the WordPress database. They could extract sensitive user data (usernames, passwords, email addresses), modify existing data, or even delete entire tables. The impact extends beyond data theft; an attacker could potentially use the compromised database to gain a foothold on the entire WordPress server, leading to further attacks and system compromise. This vulnerability resembles other SQL Injection attacks where attackers leverage database queries to bypass security controls and access restricted information.
CVE-2025-39471 was publicly disclosed on 2025-04-18. The CVSS score of 9.3 (CRITICAL) indicates a high probability of exploitation. While no public proof-of-concept (PoC) code has been released at the time of this writing, the severity of the vulnerability and the ease of SQL Injection exploitation suggest that a PoC is likely to emerge. It is not currently listed on CISA KEV, but its criticality warrants close monitoring.
Exploit Status
EPSS
0.23% (46% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Modal Survey plugin to version 2.0.3 or later. If an upgrade is not feasible due to compatibility issues or downtime concerns, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious SQL queries targeting the vulnerable endpoints. Specifically, look for patterns indicative of SQL injection attempts, such as the use of single quotes, double quotes, semicolons, or SQL keywords. Additionally, review and restrict database user permissions to limit the potential damage from a successful attack. After upgrading, confirm the fix by attempting a SQL injection attack on the vulnerable endpoint and verifying that it is blocked.
Update the Modal Survey plugin to the latest available version to mitigate the SQL Injection vulnerability. Check the official plugin source (Codecanyon) for the most recent version and update instructions. Ensure you perform a full backup of your website before applying any updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-39471 is a critical SQL Injection vulnerability affecting the Modal Survey WordPress plugin, allowing attackers to inject malicious SQL code and potentially access sensitive data.
You are affected if you are using Modal Survey plugin versions 0.0.0 through 2.0.2.0.1. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the Modal Survey plugin to version 2.0.3 or later. If immediate upgrade is not possible, implement a WAF rule to filter malicious SQL queries.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of future attacks.
Refer to the Modal Survey plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.