プラットフォーム
wordpress
コンポーネント
lms
修正版
9.2.1
CVE-2025-52833 describes a SQL Injection vulnerability discovered in the LMS LMS Theme. This flaw allows attackers to inject malicious SQL code, potentially compromising sensitive data and system integrity. The vulnerability affects versions of LMS LMS Theme from 0.0.0 up to and including 9.2. A patch is available in version 9.3.
Successful exploitation of this SQL Injection vulnerability could grant an attacker unauthorized access to the underlying database. This could lead to the exfiltration of sensitive user data, including usernames, passwords, and personal information. Furthermore, an attacker might be able to modify or delete data, potentially disrupting the functionality of the LMS system. The blast radius extends to any data stored within the database accessible through the vulnerable query. While no specific real-world precedent is immediately apparent, SQL Injection vulnerabilities are consistently among the most exploited web application flaws, often leading to significant data breaches.
CVE-2025-52833 was published on 2025-07-04. Its criticality is high due to the potential for significant data compromise. No public proof-of-concept (POC) code has been publicly released as of this writing, but the ease of exploiting SQL Injection vulnerabilities suggests a high probability of exploitation if the vulnerability remains unpatched. The vulnerability is not currently listed on the CISA KEV catalog.
WordPress sites utilizing the LMS LMS Theme, particularly those running versions 0.0.0 through 9.2, are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially impact others. Sites with weak database access controls or inadequate input validation practices are also at increased risk.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/themes/lms/• generic web:
curl -I https://your-wordpress-site.com/lms/vulnerable-endpoint?param='; DROP TABLE users; --• wordpress / composer / npm:
wp plugin list --status=inactive | grep lmsdisclosure
エクスプロイト状況
EPSS
0.05% (16% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-52833 is to immediately upgrade the LMS LMS Theme to version 9.3 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to detect and block SQL Injection attempts targeting the vulnerable endpoints. Input validation and parameterized queries should be implemented in any custom code interacting with the database. Regularly review database access permissions to limit the potential impact of a successful attack. After upgrading, confirm the vulnerability is resolved by attempting a SQL Injection payload on the affected endpoint and verifying it is properly sanitized.
Update to version 9.3, or a newer patched version
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-52833 is a critical SQL Injection vulnerability affecting the LMS LMS Theme, allowing attackers to inject malicious SQL code and potentially access sensitive data.
You are affected if you are using LMS LMS Theme versions 0.0.0 through 9.2. Upgrade to version 9.3 to mitigate the risk.
Upgrade the LMS LMS Theme to version 9.3 or later. Implement a WAF and input validation as temporary workarounds if upgrading is not immediately possible.
While no active exploitation has been confirmed, the ease of SQL Injection exploitation suggests a high probability of exploitation if the vulnerability remains unpatched.
Refer to the official LMS website or their security advisory page for the latest information and updates regarding CVE-2025-52833.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。