Platform
wordpress
Component
nest-addons
Fixed in
1.6.4
CVE-2025-54720 describes a SQL Injection vulnerability discovered in SteelThemes Nest Addons. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 through 1.6.3, and a patch is available in version 1.6.4.
Successful exploitation of this SQL Injection vulnerability could allow an attacker to bypass authentication and authorization mechanisms, gaining unauthorized access to the underlying database. This could lead to the exfiltration of sensitive user data, including usernames, passwords, and potentially personally identifiable information (PII). Depending on the database schema, an attacker might also be able to modify or delete data, leading to data integrity issues and service disruption. The blast radius extends to any system relying on the compromised Nest Addons plugin.
CVE-2025-54720 was published on 2025-08-28. Currently, there is no public proof-of-concept available. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-54720 is to immediately upgrade Nest Addons to version 1.6.4 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to filter out potentially malicious SQL queries targeting the vulnerable endpoints. Input validation and sanitization on the WordPress side, if possible, can provide an additional layer of defense. Regularly review database access logs for suspicious activity.
Update the Nest Addons plugin to the latest available version to mitigate the SQL Injection vulnerability. Check for updates in the WordPress repository or on the developer's website. Implement additional security measures, such as user input validation and sanitization, to prevent future vulnerabilities.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-54720 is a critical SQL Injection vulnerability affecting SteelThemes Nest Addons, allowing attackers to potentially extract or modify database data.
You are affected if you are using Nest Addons versions 0.0.0 through 1.6.3. Upgrade to 1.6.4 to mitigate the risk.
Upgrade Nest Addons to version 1.6.4 or later. Consider WAF rules as an interim measure if immediate upgrade is not possible.
Currently, there are no confirmed reports of active exploitation, but monitoring is recommended.
Refer to the SteelThemes website and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.