Plateforme
wordpress
Composant
nest-addons
Corrigé dans
1.6.4
CVE-2025-54720 describes a SQL Injection vulnerability discovered in SteelThemes Nest Addons. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 through 1.6.3, and a patch is available in version 1.6.4.
Successful exploitation of this SQL Injection vulnerability could allow an attacker to bypass authentication and authorization mechanisms, gaining unauthorized access to the underlying database. This could lead to the exfiltration of sensitive user data, including usernames, passwords, and potentially personally identifiable information (PII). Depending on the database schema, an attacker might also be able to modify or delete data, leading to data integrity issues and service disruption. The blast radius extends to any system relying on the compromised Nest Addons plugin.
CVE-2025-54720 was published on 2025-08-28. Currently, there is no public proof-of-concept available. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
WordPress websites utilizing the SteelThemes Nest Addons plugin, particularly those running versions 0.0.0 through 1.6.3, are at significant risk. Shared hosting environments where plugin updates are managed centrally are also at increased risk due to potential delayed patching.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/nest-addons/• generic web:
curl -I http://your-wordpress-site.com/wp-admin/admin.php?page=nest-addons-settings&action=update_options&option_name=some_input --header "X-Custom-Header: 'OR 1=1" # Check for SQL injectiondisclosure
Statut de l'Exploit
EPSS
0.03% (percentile 10%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-54720 is to immediately upgrade Nest Addons to version 1.6.4 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to filter out potentially malicious SQL queries targeting the vulnerable endpoints. Input validation and sanitization on the WordPress side, if possible, can provide an additional layer of defense. Regularly review database access logs for suspicious activity.
Actualice el plugin Nest Addons a la última versión disponible para mitigar la vulnerabilidad de inyección SQL. Verifique las actualizaciones disponibles en el repositorio de WordPress o en el sitio web del desarrollador. Implemente medidas de seguridad adicionales, como la validación y el saneamiento de las entradas del usuario, para prevenir futuras vulnerabilidades.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-54720 is a critical SQL Injection vulnerability affecting SteelThemes Nest Addons, allowing attackers to potentially extract or modify database data.
You are affected if you are using Nest Addons versions 0.0.0 through 1.6.3. Upgrade to 1.6.4 to mitigate the risk.
Upgrade Nest Addons to version 1.6.4 or later. Consider WAF rules as an interim measure if immediate upgrade is not possible.
Currently, there are no confirmed reports of active exploitation, but monitoring is recommended.
Refer to the SteelThemes website and WordPress plugin repository for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.