Platform
wordpress
Component
cleverreach-wp
Opgelost in
1.5.21
CVE-2025-49059 identifies a SQL Injection vulnerability within CleverReach® WP, a WordPress plugin. This flaw allows unauthorized users to inject malicious SQL code, potentially leading to data breaches and system compromise. The vulnerability impacts versions from 0.0 up to and including 1.5.20, but a patch is available in version 1.5.21.
Successful exploitation of this SQL Injection vulnerability could grant an attacker unauthorized access to the CleverReach® WP database. This could include sensitive user data, email lists, campaign information, and potentially even WordPress user credentials if stored within the database. An attacker could modify data, delete records, or even gain control of the entire WordPress site depending on database permissions and the plugin's configuration. The impact is particularly severe given the plugin's function as an email marketing tool, where compromised lists could be used for spam or phishing campaigns. This vulnerability shares similarities with other SQL Injection flaws where attackers leverage database queries to bypass authentication or retrieve confidential information.
CVE-2025-49059 was publicly disclosed on 2025-08-14. The CVSS score of 9.3 (CRITICAL) indicates a high probability of exploitation. As of this writing, there are no publicly available proof-of-concept exploits, but the severity of the vulnerability and the ease of SQL Injection exploitation suggest that it is a high-priority target for attackers. It is not currently listed on the CISA KEV catalog.
Websites utilizing CleverReach® WP for email marketing, particularly those with older plugin versions (0.0 - 1.5.20), are at significant risk. Shared hosting environments where multiple WordPress sites share the same database are especially vulnerable, as a compromise of one site could potentially impact others. Sites with weak database user permissions are also at increased risk.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/cleverreach-wp/• wordpress / composer / npm:
wp plugin list | grep cleverreach-wp• wordpress / composer / npm:
wp plugin update cleverreach-wp --all• generic web: Inspect CleverReach® WP plugin input fields for unusual characters or SQL syntax. Review WordPress access logs for suspicious SQL queries originating from the plugin.
disclosure
Exploit Status
EPSS
0.04% (11% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-49059 is to immediately upgrade CleverReach® WP to version 1.5.21 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting database user permissions to limit the impact of a successful injection, or using a Web Application Firewall (WAF) with SQL Injection rules to filter malicious requests. Monitor CleverReach® WP plugin files for unauthorized modifications. After upgrading, verify the fix by attempting a SQL Injection payload through the plugin's input fields and confirming that the query is properly sanitized.
Actualice el plugin CleverReach® WP a la última versión disponible para mitigar la vulnerabilidad de inyección SQL. Consulte la documentación del plugin o el sitio web del desarrollador para obtener instrucciones específicas sobre cómo actualizar.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-49059 is a critical SQL Injection vulnerability affecting CleverReach® WP versions 0.0 through 1.5.20, allowing attackers to inject malicious SQL code and potentially access sensitive data.
If you are using CleverReach® WP versions 0.0 to 1.5.20, you are affected by this vulnerability. Upgrade to version 1.5.21 or later to mitigate the risk.
The recommended fix is to upgrade CleverReach® WP to version 1.5.21 or later. If immediate upgrade is not possible, consider temporary workarounds like WAF rules and restricting database permissions.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest it is a high-priority target for attackers.
Please refer to the CleverReach® WP official website or their security advisory page for the latest information and updates regarding CVE-2025-49059.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.