प्लेटफ़ॉर्म
wordpress
घटक
tplayer-html5-audio-player-with-playlist
में ठीक किया गया
1.2.2
CVE-2025-60062 describes a SQL Injection vulnerability discovered in the tPlayer WordPress plugin. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized data access and manipulation within the WordPress database. The vulnerability impacts versions from the initial release (n/a) up to and including 1.2.1.6. A fix is pending release from the vendor.
The SQL Injection vulnerability in tPlayer poses a significant risk to WordPress websites utilizing the plugin. An attacker could exploit this flaw to bypass authentication mechanisms, retrieve sensitive user data (usernames, passwords, email addresses), modify database records, or even execute arbitrary commands on the server. Successful exploitation could lead to complete website compromise and data exfiltration. The impact is particularly severe given the potential for widespread deployment of the plugin across numerous WordPress sites, increasing the attack surface.
CVE-2025-60062 was publicly disclosed on December 18, 2025. The vulnerability's severity is rated as CRITICAL (CVSS 9.3). There are currently no known public Proof-of-Concept (PoC) exploits available, but the ease of SQL Injection exploitation suggests a high probability of exploitation if a PoC is developed. It is not currently listed on the CISA KEV catalog.
WordPress websites using the tPlayer plugin are at risk, particularly those with default configurations or limited security hardening. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/tplayer/• generic web:
curl -I https://example.com/wp-content/plugins/tplayer/ | grep SQLdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.04% (14% शतमक)
CISA SSVC
CVSS वेक्टर
Due to the lack of a released patch, immediate mitigation strategies are crucial. First, consider temporarily disabling the tPlayer plugin to prevent potential exploitation. Implement a Web Application Firewall (WAF) with rules designed to detect and block SQL Injection attempts targeting the plugin's endpoints. Carefully review and sanitize any user input processed by the plugin. Monitor WordPress database logs for suspicious SQL queries. Regularly back up your WordPress database to facilitate restoration in case of a successful attack. Once a patch is released, upgrade to the fixed version immediately and verify the fix by attempting a SQL Injection payload on the affected endpoints.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-60062 is a critical SQL Injection vulnerability affecting versions 0–1.2.1.6 of the tPlayer WordPress plugin, allowing attackers to inject malicious SQL code.
If you are using the tPlayer WordPress plugin in versions 0–1.2.1.6, you are potentially affected by this vulnerability. Immediate action is required.
Currently, there is no official patch. Mitigate by disabling the plugin, implementing a WAF, and monitoring database logs. Upgrade as soon as a patch is released.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high risk of future exploitation.
Refer to the plugin developer's website or WordPress.org plugin repository for updates and advisories regarding CVE-2025-60062.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।