Platform
wordpress
Component
cleverreach-wp
Fixed in
1.5.21
CVE-2025-49059 identifies a SQL Injection vulnerability within CleverReach® WP, a WordPress plugin. This flaw allows unauthorized users to inject malicious SQL code, potentially leading to data breaches and system compromise. The vulnerability impacts versions from 0.0 up to and including 1.5.20, but a patch is available in version 1.5.21.
Successful exploitation of this SQL Injection vulnerability could grant an attacker unauthorized access to the CleverReach® WP database. This could include sensitive user data, email lists, campaign information, and potentially even WordPress user credentials if stored within the database. An attacker could modify data, delete records, or even gain control of the entire WordPress site depending on database permissions and the plugin's configuration. The impact is particularly severe given the plugin's function as an email marketing tool, where compromised lists could be used for spam or phishing campaigns. This vulnerability shares similarities with other SQL Injection flaws where attackers leverage database queries to bypass authentication or retrieve confidential information.
CVE-2025-49059 was publicly disclosed on 2025-08-14. The CVSS score of 9.3 (CRITICAL) indicates a high probability of exploitation. As of this writing, there are no publicly available proof-of-concept exploits, but the severity of the vulnerability and the ease of SQL Injection exploitation suggest that it is a high-priority target for attackers. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-49059 is to immediately upgrade CleverReach® WP to version 1.5.21 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting database user permissions to limit the impact of a successful injection, or using a Web Application Firewall (WAF) with SQL Injection rules to filter malicious requests. Monitor CleverReach® WP plugin files for unauthorized modifications. After upgrading, verify the fix by attempting a SQL Injection payload through the plugin's input fields and confirming that the query is properly sanitized.
Update the CleverReach® WP plugin to the latest available version to mitigate the SQL Injection vulnerability. Refer to the plugin documentation or the developer's website for specific instructions on how to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-49059 is a critical SQL Injection vulnerability affecting CleverReach® WP versions 0.0 through 1.5.20, allowing attackers to inject malicious SQL code and potentially access sensitive data.
If you are using CleverReach® WP versions 0.0 to 1.5.20, you are affected by this vulnerability. Upgrade to version 1.5.21 or later to mitigate the risk.
The recommended fix is to upgrade CleverReach® WP to version 1.5.21 or later. If immediate upgrade is not possible, consider temporary workarounds like WAF rules and restricting database permissions.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest it is a high-priority target for attackers.
Please refer to the CleverReach® WP official website or their security advisory page for the latest information and updates regarding CVE-2025-49059.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.