Platform
wordpress
Component
cleverreach-wp
Opgelost in
1.5.22
CVE-2025-68034 describes a SQL Injection vulnerability discovered in CleverReach® WP, a WordPress plugin. This flaw allows attackers to inject arbitrary SQL code, potentially leading to data breaches and unauthorized access. The vulnerability impacts versions from 0.0 up to and including 1.5.21. A patch is available in version 1.5.22.
Successful exploitation of this SQL Injection vulnerability could allow an attacker to bypass authentication mechanisms and directly query the database. This could result in the theft of sensitive user data, including usernames, passwords, email addresses, and potentially even financial information if the plugin handles e-commerce transactions. Furthermore, an attacker could modify or delete data within the database, leading to data corruption or denial of service. The blast radius extends to all users of affected CleverReach® WP installations, particularly those storing sensitive information within the plugin’s database.
CVE-2025-68034 has been published on 2026-01-22. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 9.3 (CRITICAL) indicates a high level of severity. It is not listed on the CISA KEV catalog at the time of writing. Public proof-of-concept code is not currently available, but the SQL Injection nature of the vulnerability makes it likely that such code will emerge.
Websites utilizing CleverReach® WP for email marketing and automation, particularly those storing sensitive user data within the plugin's database, are at significant risk. Shared hosting environments where multiple websites share the same database are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/cleverreach-wp/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/cleverreach-wp/ | grep SQL• wordpress / composer / npm:
wp plugin list | grep cleverreach-wpdisclosure
Exploit Status
EPSS
0.05% (16% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-68034 is to immediately upgrade CleverReach® WP to version 1.5.22 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious SQL injection attempts targeting the vulnerable endpoints. Specifically, look for patterns involving single quotes, double quotes, semicolons, and SQL keywords in user-supplied input. Additionally, review and restrict database user permissions to limit the potential damage from a successful attack. After upgrade, confirm the vulnerability is resolved by attempting a SQL injection payload on the affected endpoint and verifying that it is properly sanitized.
Update to version 1.5.22, or a newer patched version
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-68034 is a critical SQL Injection vulnerability in CleverReach® WP, allowing attackers to inject malicious SQL code and potentially access sensitive data. It affects versions 0.0 - 1.5.21.
You are affected if you are using CleverReach® WP versions 0.0 through 1.5.21. Immediately upgrade to 1.5.22 or later to mitigate the risk.
Upgrade CleverReach® WP to version 1.5.22 or later. If immediate upgrade is not possible, implement WAF rules to filter malicious SQL injection attempts.
As of the current date, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate attention and remediation.
Refer to the CleverReach® WP website and their security advisory page for the official announcement and further details regarding CVE-2025-68034.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.