Escanear grátis
CRITICALCVE-2025-31911CVSS 9.3

WordPress Social Share And Social Locker plugin <= 1.4.2 - SQL Injection vulnerability

traduzindo…

Plataforma

wordpress

Componente

social-share-and-social-locker-arsocial

Corrigido em

1.4.3

AI Confidence: highNVDEPSS 0.2%Revisado: mai. de 2026
Ver no NVD
Salvar
Traduzindo para o seu idioma…

CVE-2025-31911 describes a critical SQL Injection vulnerability discovered in the Social Share And Social Locker WordPress plugin. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability affects versions from 0 up to and including 1.4.2, and a patch is available in version 1.4.3.

WordPress

Detecte esta CVE no seu projeto

Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.

Escanear grátis

Impacto e Cenários de Ataquetraduzindo…

The SQL Injection vulnerability in Social Share And Social Locker allows attackers to bypass security measures and directly interact with the underlying database. Due to the 'blind' nature of the injection, attackers must infer data through multiple queries, making exploitation potentially time-consuming but still highly impactful. Successful exploitation could lead to the extraction of sensitive user data, including usernames, passwords, email addresses, and potentially even financial information if the plugin handles such data. Furthermore, an attacker could modify database records, leading to data corruption or denial of service. This vulnerability shares characteristics with other SQL injection flaws, where attackers leverage malformed SQL queries to gain unauthorized access.

Contexto de Exploraçãotraduzindo…

CVE-2025-31911 was publicly disclosed on 2025-04-03. The vulnerability's severity is high due to the potential for data exfiltration and modification. Currently, there are no known public exploits or active campaigns targeting this specific vulnerability, but the blind SQL injection nature means exploitation is possible. It is not listed on the CISA KEV catalog as of this writing.

Quem Está em Riscotraduzindo…

WordPress websites utilizing the Social Share And Social Locker plugin, particularly those running versions 0 through 1.4.2, are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially expose data from others.

Passos de Detecçãotraduzindo…

• wordpress / composer / npm:

grep -r "reputeinfosystems/social-share-and-social-locker" wp-content/plugins/

• wordpress / composer / npm:

wp plugin list | grep "Social Share And Social Locker"

• generic web:

curl -I https://your-wordpress-site.com/wp-content/plugins/social-share-and-social-locker/ | grep -i "SQL"

• generic web: Review WordPress access logs for unusual SQL query patterns originating from the plugin’s endpoints.

Linha do Tempo do Ataque

  1. Disclosure

    disclosure

Inteligência de Ameaças

Status do Exploit

Prova de ConceitoDesconhecido
CISA KEVNO
Exposição na InternetAlta

EPSS

0.23% (percentil 46%)

CISA SSVC

Exploraçãonone
Automatizávelyes
Impacto Técnicototal

Vetor CVSS

INTELIGÊNCIA DE AMEAÇAS· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L9.3CRITICALAttack VectorNetworkComo o atacante alcança o alvoAttack ComplexityLowCondições necessárias para explorarPrivileges RequiredNoneNível de autenticação necessárioUser InteractionNoneSe a vítima precisa tomar uma açãoScopeChangedImpacto além do componente afetadoConfidentialityHighRisco de exposição de dados sensíveisIntegrityNoneRisco de modificação não autorizada de dadosAvailabilityLowRisco de interrupção de serviçonextguardhq.com · Pontuação Base CVSS v3.1
O que significam essas métricas?
Attack Vector
Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
Attack Complexity
Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
Privileges Required
Nenhum — sem autenticação necessária para explorar.
User Interaction
Nenhuma — ataque automático e silencioso. A vítima não faz nada.
Scope
Alterado — o ataque pode pivotar para além do componente vulnerável.
Confidentiality
Alto — perda total de confidencialidade. O atacante pode ler todos os dados.
Integrity
Nenhum — sem impacto na integridade.
Availability
Baixo — negação de serviço parcial ou intermitente.

Software Afetado

Componentesocial-share-and-social-locker-arsocial
Fornecedorreputeinfosystems
Faixa afetadaCorrigido em
0 – 1.4.21.4.3

Classificação de Fraqueza (CWE)

CWE-89

Linha do tempo

  1. Reservado
  2. Publicada
  3. Modificada
  4. EPSS atualizado

Mitigação e Soluções Alternativastraduzindo…

The primary mitigation for CVE-2025-31911 is to immediately upgrade the Social Share And Social Locker plugin to version 1.4.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. While a direct WAF rule is difficult to implement for blind SQL injection, implementing a WAF rule that blocks suspicious SQL query patterns targeting the plugin's endpoints could offer some protection. Monitor WordPress access logs for unusual SQL query patterns originating from the plugin’s endpoints. After upgrading, confirm the vulnerability is resolved by attempting a test SQL injection query through the plugin’s functionality and verifying that it is properly sanitized.

Como corrigirtraduzindo…

Actualice el plugin Social Share And Social Locker a la última versión disponible para mitigar la vulnerabilidad de inyección SQL ciega.  Verifique las actualizaciones en el repositorio de WordPress o contacte al desarrollador para obtener más información sobre la versión corregida.  Implemente medidas de seguridad adicionales, como la validación y el saneamiento de las entradas del usuario, para prevenir futuras vulnerabilidades.

Boletim de Segurança CVE

Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.

Perguntas frequentestraduzindo…

What is CVE-2025-31911 — SQL Injection in Social Share And Social Locker?

CVE-2025-31911 is a critical SQL Injection vulnerability affecting versions 0–1.4.2 of the Social Share And Social Locker WordPress plugin, allowing attackers to extract data via blind SQL injection.

Am I affected by CVE-2025-31911 in Social Share And Social Locker?

If your WordPress site uses Social Share And Social Locker version 0 through 1.4.2, you are vulnerable to this SQL Injection flaw. Upgrade immediately.

How do I fix CVE-2025-31911 in Social Share And Social Locker?

Upgrade the Social Share And Social Locker plugin to version 1.4.3 or later to resolve this vulnerability. If upgrading is not possible, temporarily disable the plugin.

Is CVE-2025-31911 being actively exploited?

As of now, there are no confirmed active exploitation campaigns targeting CVE-2025-31911, but the blind SQL injection nature makes exploitation possible.

Where can I find the official Social Share And Social Locker advisory for CVE-2025-31911?

Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information regarding CVE-2025-31911.

Seu projeto está afetado?

Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.

Escanear grátisBuscar CVEs