Plateforme
wordpress
Composant
custom-api-for-wp
Corrigé dans
4.2.3
CVE-2025-54048 identifies a SQL Injection vulnerability within the Custom API for WP plugin. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 up to and including 4.2.2. A patch is available in version 4.2.3.
Successful exploitation of this SQL Injection vulnerability could grant an attacker complete control over the WordPress database. They could extract sensitive user data, including usernames, passwords, and personal information. Furthermore, an attacker could modify or delete data, disrupt website functionality, or even gain administrative access to the WordPress installation. The potential for data breach and system compromise is significant, particularly if the database contains critical business or customer information. This vulnerability’s impact is amplified if the WordPress site is used for e-commerce or handles sensitive financial data.
CVE-2025-54048 was publicly disclosed on August 20, 2025. The vulnerability's severity is high due to the ease of exploitation and the potential impact. No public proof-of-concept (PoC) code has been observed at the time of writing, but the SQL Injection nature of the vulnerability makes it likely that PoCs will emerge. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Custom API for WP plugin, particularly those handling sensitive user data or financial transactions, are at significant risk. Shared hosting environments where multiple WordPress installations share the same database are also at increased risk, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r "miniOrange Custom API for WP" /var/www/html/
wp plugin list | grep 'miniOrange Custom API for WP'• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/mini-orange-custom-api-for-wp/ | grep -i 'SQL Injection'disclosure
Statut de l'Exploit
EPSS
0.04% (percentile 12%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-54048 is to immediately upgrade the Custom API for WP plugin to version 4.2.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious SQL queries targeting the vulnerable API endpoints. Carefully review and sanitize all user inputs to prevent SQL injection attempts. Monitor WordPress logs for suspicious SQL queries or database activity. After upgrading, confirm the fix by attempting a SQL injection attack on the vulnerable endpoint and verifying that it is blocked.
Actualice el plugin 'Custom API for WP' a la última versión disponible para mitigar la vulnerabilidad de inyección SQL. Verifique la página del plugin en wordpress.org para obtener la versión más reciente y las instrucciones de actualización. Asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar cualquier plugin.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-54048 is a critical SQL Injection vulnerability affecting the Custom API for WP plugin, allowing attackers to inject malicious SQL code and potentially access sensitive data.
You are affected if you are using Custom API for WP versions 0.0.0 through 4.2.2. Upgrade to 4.2.3 or later to mitigate the risk.
Upgrade the Custom API for WP plugin to version 4.2.3 or later. Consider implementing a WAF rule as an interim measure if immediate upgrade is not possible.
While no active exploitation has been confirmed, the vulnerability's nature makes it likely that exploitation attempts will occur. Monitor your systems closely.
Refer to the miniOrange website and WordPress plugin repository for the official advisory and update information regarding CVE-2025-54048.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.