Plateforme
wordpress
Composant
apartment-management
Corrigé dans
44.0.1
CVE-2025-39395 identifies a SQL Injection vulnerability within the WPAMS apartment-management plugin for WordPress. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions ranging from 0.0.0 through 44.0 (released on 2023-08-17), and a patch is available in version 44.0.1.
Successful exploitation of CVE-2025-39395 can grant an attacker complete control over the WPAMS database. This includes the ability to read, modify, or delete sensitive data such as tenant information, lease agreements, financial records, and user credentials. An attacker could leverage this access to perform data breaches, deface the website, or even gain a foothold into the broader WordPress environment. The potential for lateral movement within the WordPress installation is significant, particularly if the database user has elevated privileges. The blast radius extends beyond just the apartment management system, potentially impacting the entire WordPress site and any connected services.
CVE-2025-39395 was published on 2025-05-19. The vulnerability's severity is considered CRITICAL due to the ease of exploitation and the potential impact. Public proof-of-concept (PoC) code is likely to emerge given the SQL Injection nature of the vulnerability. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting WPAMS installations.
Apartment management businesses and organizations using WPAMS plugin on their WordPress sites are at significant risk. Specifically, those running older, unpatched versions (0.0.0–44.0) are highly vulnerable. Shared WordPress hosting environments are also at increased risk, as a compromised WPAMS installation on one site could potentially impact other sites on the same server.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/wpams/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/wpams/ | grep SQL• wordpress / composer / npm:
wp plugin list --status=active | grep wpamsdisclosure
Statut de l'Exploit
EPSS
0.23% (percentile 46%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-39395 is to immediately upgrade the WPAMS plugin to version 44.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include restricting database user privileges for the WPAMS plugin, implementing a Web Application Firewall (WAF) with SQL injection rules, and carefully reviewing all user inputs to the plugin. Monitor WordPress access logs for suspicious SQL queries. After upgrading, confirm the fix by attempting a SQL injection attack on the vulnerable endpoints and verifying that the input is properly sanitized.
Actualice el plugin WPAMS a la última versión disponible para mitigar la vulnerabilidad de inyección SQL. Verifique las actualizaciones disponibles en el repositorio de WordPress o en el sitio web del desarrollador. Implemente medidas de seguridad adicionales, como la validación y el saneamiento de las entradas del usuario, para prevenir futuras vulnerabilidades.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-39395 is a critical SQL Injection vulnerability affecting the WPAMS plugin for WordPress, allowing attackers to manipulate database queries and potentially gain unauthorized access to sensitive data.
You are affected if you are using WPAMS versions 0.0.0 through 44.0 (released on 2023-08-17). Check your plugin version and upgrade immediately if vulnerable.
Upgrade the WPAMS plugin to version 44.0.1 or later. If upgrading is not immediately possible, implement temporary workarounds like WAF rules and restricting database user privileges.
While there are no confirmed reports of active exploitation at this time, the vulnerability's criticality and ease of exploitation suggest that it is likely to be targeted by attackers.
Refer to the WPAMS plugin website or the WordPress plugin repository for the official advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.