Platform
wordpress
Component
crete-core
Fixed in
1.4.4
CVE-2025-69305 describes a critical SQL Injection vulnerability discovered in the Crete Core WordPress plugin. This flaw allows attackers to potentially extract sensitive data from the database through blind SQL injection techniques. The vulnerability impacts versions from 0.0.0 up to and including 1.4.3. A patch is expected to be released by the vendor.
The SQL Injection vulnerability in Crete Core allows an attacker to bypass security measures and directly manipulate database queries. This can lead to unauthorized access to sensitive information, including user credentials, configuration data, and potentially even the entire database contents. The 'blind' nature of the injection means the attacker doesn't receive direct feedback from the database, requiring them to infer data through multiple queries, but the potential impact remains severe. Successful exploitation could result in complete data compromise and system takeover, similar to attacks targeting other WordPress plugins with SQL injection flaws.
The vulnerability was publicly disclosed on 2026-02-20. As of this date, there is no indication of active exploitation campaigns targeting CVE-2025-69305. The vulnerability's severity is high due to the potential for data exfiltration and system compromise. No KEV listing is currently available.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-69305 is to immediately upgrade the Crete Core plugin to a patched version once available. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL injection attempts targeting the plugin's vulnerable endpoints. Additionally, review and harden database user permissions to limit the potential damage from a successful attack. After upgrade, confirm the vulnerability is resolved by attempting a test SQL injection payload on the affected endpoint and verifying that it is blocked or returns an error.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-69305 is a critical SQL Injection vulnerability affecting versions 0.0.0–1.4.3 of the Crete Core WordPress plugin, allowing attackers to potentially extract sensitive data.
If you are using Crete Core WordPress plugin versions 0.0.0 through 1.4.3, you are potentially affected by this vulnerability. Check your plugin versions immediately.
Upgrade to the latest version of the Crete Core plugin as soon as a patch is released. Until then, implement WAF rules to mitigate the risk.
As of the disclosure date, there is no confirmed active exploitation of CVE-2025-69305, but it is a critical vulnerability and should be addressed promptly.
Refer to the TeconceTheme website or WordPress plugin repository for the official advisory and patch release information regarding CVE-2025-69305.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.