Platform
wordpress
Component
custom-api-for-wp
Fixed in
4.2.3
CVE-2025-54048 identifies a SQL Injection vulnerability within the Custom API for WP plugin. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 up to and including 4.2.2. A patch is available in version 4.2.3.
Successful exploitation of this SQL Injection vulnerability could grant an attacker complete control over the WordPress database. They could extract sensitive user data, including usernames, passwords, and personal information. Furthermore, an attacker could modify or delete data, disrupt website functionality, or even gain administrative access to the WordPress installation. The potential for data breach and system compromise is significant, particularly if the database contains critical business or customer information. This vulnerability’s impact is amplified if the WordPress site is used for e-commerce or handles sensitive financial data.
CVE-2025-54048 was publicly disclosed on August 20, 2025. The vulnerability's severity is high due to the ease of exploitation and the potential impact. No public proof-of-concept (PoC) code has been observed at the time of writing, but the SQL Injection nature of the vulnerability makes it likely that PoCs will emerge. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-54048 is to immediately upgrade the Custom API for WP plugin to version 4.2.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious SQL queries targeting the vulnerable API endpoints. Carefully review and sanitize all user inputs to prevent SQL injection attempts. Monitor WordPress logs for suspicious SQL queries or database activity. After upgrading, confirm the fix by attempting a SQL injection attack on the vulnerable endpoint and verifying that it is blocked.
Update the 'Custom API for WP' plugin to the latest available version to mitigate the SQL Injection vulnerability. Check the plugin page on wordpress.org for the latest version and update instructions. Ensure you back up your website before updating any plugin.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-54048 is a critical SQL Injection vulnerability affecting the Custom API for WP plugin, allowing attackers to inject malicious SQL code and potentially access sensitive data.
You are affected if you are using Custom API for WP versions 0.0.0 through 4.2.2. Upgrade to 4.2.3 or later to mitigate the risk.
Upgrade the Custom API for WP plugin to version 4.2.3 or later. Consider implementing a WAF rule as an interim measure if immediate upgrade is not possible.
While no active exploitation has been confirmed, the vulnerability's nature makes it likely that exploitation attempts will occur. Monitor your systems closely.
Refer to the miniOrange website and WordPress plugin repository for the official advisory and update information regarding CVE-2025-54048.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.