プラットフォーム
wordpress
コンポーネント
torod
修正版
2.1.1
CVE-2025-30936 identifies a SQL Injection vulnerability within Torod, a component used in WordPress environments. This vulnerability allows attackers to inject malicious SQL code into database queries, potentially leading to unauthorized data access and modification. The vulnerability affects versions from 0.0.0 through 2.1, and a fix is available in version 1.9.1.
Successful exploitation of this SQL Injection vulnerability can have severe consequences. An attacker could bypass authentication mechanisms, gain access to sensitive user data (including usernames, passwords, and personal information), and potentially modify or delete critical database records. Depending on the database structure and permissions, an attacker might even be able to execute arbitrary commands on the server. The blast radius extends to any WordPress site utilizing the vulnerable Torod component, potentially impacting a large number of users and sensitive data.
CVE-2025-30936 was publicly disclosed on 2025-07-16. The CVSS score of 9.3 (CRITICAL) indicates a high probability of exploitation. While no public proof-of-concept (PoC) has been observed at the time of writing, the severity of the vulnerability and the ease of SQL Injection exploitation suggest that it is a likely target for attackers. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
WordPress websites utilizing the Torod component are at risk, particularly those running older versions (0.0.0–2.1). Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially expose data from other sites on the same server. Sites with weak database user permissions are also at increased risk.
• wordpress / composer / npm:
grep -r "SELECT.*FROM" /var/www/html/wp-content/plugins/torod/*• generic web:
curl -I https://example.com/torod/vulnerable_endpoint?param='; DROP TABLE users; --• wordpress / composer / npm:
wp plugin list --status=inactive | grep torod• wordpress / composer / npm:
wp plugin update toroddisclosure
エクスプロイト状況
EPSS
0.04% (12% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-30936 is to immediately upgrade Torod to version 1.9.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious SQL injection attempts. Specifically, look for patterns involving single quotes, double quotes, semicolons, and SQL keywords. Regularly review database access logs for suspicious activity. After upgrading, confirm the fix by attempting a SQL injection payload through the vulnerable endpoint and verifying that it is properly sanitized.
Actualice el plugin Torod a la última versión disponible para mitigar la vulnerabilidad de inyección SQL. Verifique las actualizaciones del plugin en el panel de administración de WordPress o a través del repositorio oficial de WordPress.org.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-30936 is a critical SQL Injection vulnerability affecting Torod versions 0.0.0 through 2.1, allowing attackers to manipulate database queries and potentially access sensitive data.
If your WordPress site uses Torod version 0.0.0 to 2.1, you are affected. Check your plugin versions and upgrade immediately.
Upgrade Torod to version 1.9.1 or later. If upgrading is not possible, implement a WAF rule to filter malicious SQL injection attempts.
While no active exploitation has been confirmed, the high CVSS score and ease of exploitation suggest it is a likely target. Continuous monitoring is recommended.
Refer to the official Torod project website or WordPress plugin repository for the latest advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。