Plateforme
wordpress
Composant
wpchurch
Corrigé dans
2.7.1
CVE-2025-32303 identifies a SQL Injection vulnerability within WPCHURCH, a Joomla extension. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized data access and manipulation. The vulnerability affects versions from n/a up to and including 2.7.0, with a fix available in version 2.7.1.
The SQL Injection vulnerability in WPCHURCH allows an attacker to craft malicious SQL queries that are executed against the database. Successful exploitation could lead to the extraction of sensitive information such as user credentials, financial data, and other confidential details stored within the WPCHURCH database. Furthermore, an attacker could potentially modify or delete data, leading to data integrity issues and disruption of service. The 'Blind SQL Injection' nature of the vulnerability means the attacker doesn't directly see the results of their queries, requiring more sophisticated techniques to extract data, but doesn't diminish the potential impact. This is similar to other SQL injection vulnerabilities where attackers use techniques like time-based injection to infer data.
CVE-2025-32303 was published on 2026-01-07. The vulnerability's severity is rated as CRITICAL (CVSS 9.3). As of this writing, there are no publicly known proof-of-concept exploits. It is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed, but the high severity warrants immediate attention and patching.
Websites utilizing WPCHURCH, particularly those running older, unpatched versions (n/a - 2.7.0), are at significant risk. Shared hosting environments where multiple websites share the same database are particularly vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/wpchurch/• generic web:
curl -I https://your-wpchurch-site.com/index.php?page=some_parameter&value=$(sql_injection_payload)• database (mysql):
SELECT @@version FROM information_schema.version;• wordpress / composer / npm:
wp plugin list --status=all | grep wpchurch• wordpress / composer / npm:
find /var/www/html/wp-content/plugins/wpchurch/ -type f -name '*.php' -print0 | xargs -0 grep -i 'mysql_query'disclosure
Statut de l'Exploit
EPSS
0.04% (percentile 14%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-32303 is to immediately upgrade WPCHURCH to version 2.7.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. While a direct WAF rule is difficult to create for blind SQL injection, input validation and parameterized queries on the application layer can help reduce the attack surface. Review and restrict database user permissions to limit the potential damage from a successful injection. Monitor database logs for suspicious SQL queries that may indicate an ongoing attack.
Actualice el plugin WPCHURCH a una versión corregida (superior a 2.7.0) para mitigar la vulnerabilidad de inyección SQL ciega. Consulte las notas de la versión del plugin para obtener instrucciones específicas de actualización y asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-32303 is a critical SQL Injection vulnerability affecting WPCHURCH versions before 2.7.1, allowing attackers to potentially extract or modify data.
If you are using WPCHURCH versions from n/a up to and including 2.7.0, you are vulnerable to this SQL Injection flaw.
Upgrade WPCHURCH to version 2.7.1 or later to resolve this vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
As of now, there are no confirmed reports of active exploitation, but the high severity warrants immediate action.
Refer to the official WPCHURCH website or Joomla extension directory for the latest security advisories and updates.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.