WordPress tPlayer plugin <= 1.2.1.6 - SQL Injection vulnerability
अनुवाद हो रहा है…प्लेटफ़ॉर्म
wordpress
घटक
tplayer-html5-audio-player-with-playlist
में ठीक किया गया
1.2.2
CVE-2025-60062 describes a SQL Injection vulnerability discovered in the tPlayer WordPress plugin. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized data access and manipulation within the WordPress database. The vulnerability impacts versions from the initial release (n/a) up to and including 1.2.1.6. A fix is pending release from the vendor.
इस CVE को अपने प्रोजेक्ट में पहचानें
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
प्रभाव और हमले की स्थितियाँअनुवाद हो रहा है…
The SQL Injection vulnerability in tPlayer poses a significant risk to WordPress websites utilizing the plugin. An attacker could exploit this flaw to bypass authentication mechanisms, retrieve sensitive user data (usernames, passwords, email addresses), modify database records, or even execute arbitrary commands on the server. Successful exploitation could lead to complete website compromise and data exfiltration. The impact is particularly severe given the potential for widespread deployment of the plugin across numerous WordPress sites, increasing the attack surface.
शोषण संदर्भअनुवाद हो रहा है…
CVE-2025-60062 was publicly disclosed on December 18, 2025. The vulnerability's severity is rated as CRITICAL (CVSS 9.3). There are currently no known public Proof-of-Concept (PoC) exploits available, but the ease of SQL Injection exploitation suggests a high probability of exploitation if a PoC is developed. It is not currently listed on the CISA KEV catalog.
कौन जोखिम में हैअनुवाद हो रहा है…
WordPress websites using the tPlayer plugin are at risk, particularly those with default configurations or limited security hardening. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially impact others.
पहचान के चरणअनुवाद हो रहा है…
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/tplayer/• generic web:
curl -I https://example.com/wp-content/plugins/tplayer/ | grep SQLहमले की समयरेखा
- Disclosure
disclosure
खतरा खुफिया
एक्सप्लॉइट स्थिति
EPSS
0.04% (14% शतमक)
CISA SSVC
CVSS वेक्टर
इन मेट्रिक्स का क्या मतलब है?
- Attack Vector
- नेटवर्क — इंटरनेट के माध्यम से दूरस्थ रूप से शोषण योग्य। कोई भौतिक या स्थानीय पहुंच आवश्यक नहीं।
- Attack Complexity
- निम्न — कोई विशेष शर्त नहीं। विश्वसनीय रूप से शोषण योग्य।
- Privileges Required
- कोई नहीं — बिना प्रमाणीकरण के शोषण योग्य।
- User Interaction
- कोई नहीं — स्वचालित और मूक हमला। पीड़ित कुछ नहीं करता।
- Scope
- बदला हुआ — हमला कमज़ोर घटक से परे अन्य प्रणालियों तक फैल सकता है।
- Confidentiality
- उच्च — पूर्ण गोपनीयता हानि। हमलावर सभी डेटा पढ़ सकता है।
- Integrity
- कोई नहीं — अखंडता पर कोई प्रभाव नहीं।
- Availability
- निम्न — आंशिक या रुक-रुक कर सेवा से इनकार।
प्रभावित सॉफ्टवेयर
कमजोरी वर्गीकरण (CWE)
समयरेखा
- आरक्षित
- प्रकाशित
- संशोधित
- EPSS अद्यतन
शमन और वर्कअराउंडअनुवाद हो रहा है…
Due to the lack of a released patch, immediate mitigation strategies are crucial. First, consider temporarily disabling the tPlayer plugin to prevent potential exploitation. Implement a Web Application Firewall (WAF) with rules designed to detect and block SQL Injection attempts targeting the plugin's endpoints. Carefully review and sanitize any user input processed by the plugin. Monitor WordPress database logs for suspicious SQL queries. Regularly back up your WordPress database to facilitate restoration in case of a successful attack. Once a patch is released, upgrade to the fixed version immediately and verify the fix by attempting a SQL Injection payload on the affected endpoints.
कैसे ठीक करेंअनुवाद हो रहा है…
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
CVE सुरक्षा न्यूज़लेटर
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
अक्सर पूछे जाने वाले सवालअनुवाद हो रहा है…
What is CVE-2025-60062 — SQL Injection in tPlayer WordPress Plugin?
CVE-2025-60062 is a critical SQL Injection vulnerability affecting versions 0–1.2.1.6 of the tPlayer WordPress plugin, allowing attackers to inject malicious SQL code.
Am I affected by CVE-2025-60062 in tPlayer WordPress Plugin?
If you are using the tPlayer WordPress plugin in versions 0–1.2.1.6, you are potentially affected by this vulnerability. Immediate action is required.
How do I fix CVE-2025-60062 in tPlayer WordPress Plugin?
Currently, there is no official patch. Mitigate by disabling the plugin, implementing a WAF, and monitoring database logs. Upgrade as soon as a patch is released.
Is CVE-2025-60062 being actively exploited?
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high risk of future exploitation.
Where can I find the official tPlayer advisory for CVE-2025-60062?
Refer to the plugin developer's website or WordPress.org plugin repository for updates and advisories regarding CVE-2025-60062.
क्या आपका प्रोजेक्ट प्रभावित है?
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।