Platform
wordpress
Component
wp-lead-capture
Fixed in
2.5.4
CVE-2025-49055 describes a SQL Injection vulnerability discovered in the WP Lead Capturing Pages WordPress plugin. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 up to and including 2.5. A patch is available in version 2.5.4.
The SQL Injection vulnerability in WP Lead Capturing Pages allows an attacker to bypass security measures and directly interact with the underlying database. By crafting malicious SQL queries, an attacker can extract sensitive information such as user credentials, personally identifiable information (PII), and potentially even gain control over the WordPress database. The 'blind' nature of the injection means the attacker doesn't receive direct feedback from the database, requiring them to infer results through trial and error, making detection more challenging. Successful exploitation could lead to complete compromise of the WordPress site and associated data.
CVE-2025-49055 was published on 2026-01-22. The vulnerability's 'blind' nature suggests a potentially higher difficulty for exploitation, but the CRITICAL CVSS score indicates significant risk. Public proof-of-concept (POC) code is currently unknown, but the vulnerability's nature makes it likely that such code will emerge. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-49055 is to immediately upgrade the WP Lead Capturing Pages plugin to version 2.5.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. Web Application Firewalls (WAFs) configured with rules to detect and block SQL injection attempts can provide an additional layer of defense. Monitor WordPress logs for suspicious SQL queries originating from the plugin’s endpoints. After upgrading, verify the fix by attempting a SQL injection payload through the plugin's input fields and confirming no data is exposed.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-49055 is a critical SQL Injection vulnerability affecting the WP Lead Capturing Pages WordPress plugin, allowing attackers to extract data via blind SQL injection.
You are affected if you are using WP Lead Capturing Pages versions 0.0.0 through 2.5. Check your plugin version and upgrade immediately.
Upgrade the WP Lead Capturing Pages plugin to version 2.5.4 or later to patch the SQL Injection vulnerability. Disable the plugin if immediate upgrade is not possible.
While active exploitation is not yet confirmed, the CRITICAL severity and nature of the vulnerability suggest it is likely to be targeted. Monitor for suspicious activity.
Refer to the plugin developer's website or WordPress.org plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.