Platform
wordpress
Component
automotive
Fixed in
18.6.1
CVE-2025-67928 describes a critical SQL Injection vulnerability discovered in themesuite Automotive Listings. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 up to and including 18.6, and a patch is available in version 18.7.
The SQL Injection vulnerability in Automotive Listings allows an attacker to bypass security measures and directly interact with the underlying database. Because it's a blind SQL injection, the attacker doesn't receive direct responses from the database, but can infer information through timing or other indirect methods. This could enable them to extract sensitive data such as user credentials, customer information, vehicle details, and potentially even database schema information. Successful exploitation could lead to complete compromise of the WordPress site and associated data, potentially impacting the business's reputation and customer trust. While no direct precedent is immediately obvious, blind SQL injection vulnerabilities are frequently exploited to gain persistent access and escalate privileges.
CVE-2025-67928 was published on 2026-01-08. The EPSS score is pending evaluation, but given the CRITICAL CVSS score and the nature of SQL injection, it is likely to be assessed as high probability. No public proof-of-concept (PoC) code has been publicly released at the time of writing, but the vulnerability's severity suggests it could become a target for exploitation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-67928 is to immediately upgrade Automotive Listings to version 18.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These might include restricting database user permissions to the minimum necessary, implementing strict input validation and sanitization on all user-supplied data, and utilizing a Web Application Firewall (WAF) with SQL injection protection rules. Monitor WordPress logs for suspicious database queries and unusual activity. After upgrading, confirm the vulnerability is resolved by attempting a SQL injection attack on a non-critical endpoint and verifying that it is blocked or fails.
Update to version 18.7, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-67928 is a critical SQL Injection vulnerability affecting themesuite Automotive Listings plugin versions 0.0.0–18.6, allowing attackers to potentially extract data through blind SQL injection.
If you are using Automotive Listings versions 0.0.0 through 18.6, you are vulnerable to this SQL Injection flaw. Check your plugin version immediately.
Upgrade Automotive Listings to version 18.7 or later to resolve this vulnerability. If immediate upgrade is not possible, implement temporary mitigations like WAF rules and input validation.
While no active exploitation has been publicly confirmed, the CRITICAL severity suggests it could become a target. Monitor security advisories and threat intelligence.
Refer to the themesuite website and WordPress plugin repository for the official advisory and update information regarding CVE-2025-67928.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.