Plateforme
wordpress
Composant
automotive
Corrigé dans
18.6.1
CVE-2025-67928 describes a critical SQL Injection vulnerability discovered in themesuite Automotive Listings. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 up to and including 18.6, and a patch is available in version 18.7.
The SQL Injection vulnerability in Automotive Listings allows an attacker to bypass security measures and directly interact with the underlying database. Because it's a blind SQL injection, the attacker doesn't receive direct responses from the database, but can infer information through timing or other indirect methods. This could enable them to extract sensitive data such as user credentials, customer information, vehicle details, and potentially even database schema information. Successful exploitation could lead to complete compromise of the WordPress site and associated data, potentially impacting the business's reputation and customer trust. While no direct precedent is immediately obvious, blind SQL injection vulnerabilities are frequently exploited to gain persistent access and escalate privileges.
CVE-2025-67928 was published on 2026-01-08. The EPSS score is pending evaluation, but given the CRITICAL CVSS score and the nature of SQL injection, it is likely to be assessed as high probability. No public proof-of-concept (PoC) code has been publicly released at the time of writing, but the vulnerability's severity suggests it could become a target for exploitation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Websites utilizing themesuite Automotive Listings plugin, particularly those handling sensitive customer data or financial transactions, are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r "themesuite/automotive-listings" /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep automotive-listings• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-content/plugins/automotive-listings/ | grep -i 'automotive-listings'• generic web: Review WordPress access and error logs for suspicious SQL queries or error messages related to the Automotive Listings plugin. Look for patterns indicative of SQL injection attempts.
disclosure
Statut de l'Exploit
EPSS
0.05% (percentile 14%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-67928 is to immediately upgrade Automotive Listings to version 18.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These might include restricting database user permissions to the minimum necessary, implementing strict input validation and sanitization on all user-supplied data, and utilizing a Web Application Firewall (WAF) with SQL injection protection rules. Monitor WordPress logs for suspicious database queries and unusual activity. After upgrading, confirm the vulnerability is resolved by attempting a SQL injection attack on a non-critical endpoint and verifying that it is blocked or fails.
Update to version 18.7, or a newer patched version
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-67928 is a critical SQL Injection vulnerability affecting themesuite Automotive Listings plugin versions 0.0.0–18.6, allowing attackers to potentially extract data through blind SQL injection.
If you are using Automotive Listings versions 0.0.0 through 18.6, you are vulnerable to this SQL Injection flaw. Check your plugin version immediately.
Upgrade Automotive Listings to version 18.7 or later to resolve this vulnerability. If immediate upgrade is not possible, implement temporary mitigations like WAF rules and input validation.
While no active exploitation has been publicly confirmed, the CRITICAL severity suggests it could become a target. Monitor security advisories and threat intelligence.
Refer to the themesuite website and WordPress plugin repository for the official advisory and update information regarding CVE-2025-67928.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.