Platform
wordpress
Component
miraculous
Fixed in
2.0.10
CVE-2025-58628 identifies a SQL Injection vulnerability within the Miraculous WordPress theme. This flaw allows attackers to potentially extract sensitive data through blind SQL injection techniques. The vulnerability impacts versions ranging from 0.0.0 to 2.0.9, and a fix is available in version 2.0.10.
The SQL Injection vulnerability in Miraculous theme allows an attacker to bypass authentication and directly query the database. Successful exploitation could lead to unauthorized access to user credentials, sensitive configuration data, and potentially even the entire WordPress database. The 'blind' nature of the injection means the attacker doesn't see the results of each query immediately, requiring iterative probing to extract data, but the potential impact remains severe. This is similar to other SQL injection vulnerabilities where attackers can gain full control over the database server.
CVE-2025-58628 was publicly disclosed on 2025-09-05. The vulnerability is considered high probability due to the ease of exploitation and the potential impact. No public proof-of-concept (POC) code has been released at the time of writing, but the vulnerability's nature makes it likely that a POC will emerge. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-58628 is to immediately upgrade the Miraculous WordPress theme to version 2.0.10 or later. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious SQL injection attempts targeting the vulnerable endpoints. Specifically, look for unusual characters and patterns in user input that are commonly used in SQL injection attacks. Regularly review WordPress plugin security best practices to prevent similar vulnerabilities in the future. After upgrade, verify the fix by attempting a SQL injection attack on the vulnerable endpoint and confirming that it is blocked.
Update the Miraculous theme to version 2.0.10 or higher to mitigate the SQL Injection vulnerability. Ensure you perform a full backup of your website before updating any theme or plugin. Verify that your database is correctly configured and protected against SQL Injection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-58628 is a critical SQL Injection vulnerability affecting the Miraculous WordPress theme, allowing attackers to potentially extract sensitive data from the database.
You are affected if your WordPress site uses the Miraculous theme in versions 0.0.0 through 2.0.9. Upgrade to 2.0.10 or later to mitigate the risk.
Upgrade the Miraculous WordPress theme to version 2.0.10 or later. Consider implementing a WAF as a temporary workaround if immediate upgrade is not possible.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests it may be targeted soon.
Refer to the official Miraculous theme documentation or website for the latest security advisory regarding CVE-2025-58628.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.