Plataforma
wordpress
Componente
analyticswp
Corrigido em
2.1.3
CVE-2025-39389 describes a SQL Injection vulnerability discovered in the AnalyticsWP WordPress plugin. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized data access and manipulation. The vulnerability affects versions of AnalyticsWP prior to 2.1.3, and a patch is available in version 2.1.3.
Successful exploitation of this SQL Injection vulnerability could allow an attacker to bypass authentication and directly query the database. This could result in the exposure of sensitive user data, including usernames, passwords, email addresses, and potentially financial information if the plugin interacts with e-commerce functionalities. Furthermore, an attacker could modify or delete data within the database, leading to data corruption or denial of service. The impact is particularly severe as WordPress plugins often have broad access to a website's data and functionality, making this a high-risk vulnerability.
CVE-2025-39389 was publicly disclosed on 2025-05-19. The vulnerability's severity is rated as CRITICAL (CVSS 9.3). As of this writing, no public proof-of-concept exploits have been published, but the ease of SQL Injection exploitation suggests a high probability of exploitation if left unpatched. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Websites using the AnalyticsWP plugin, particularly those running older, unpatched versions (prior to 2.1.3), are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/analyticswp/• wordpress / composer / npm:
wp plugin list | grep analyticswp• wordpress / composer / npm:
wp plugin update analyticswp• generic web: Check for unusual database activity in WordPress error logs, specifically queries containing SQL injection keywords like 'UNION SELECT', 'OR 1=1', or 'DROP TABLE'.
disclosure
Status do Exploit
EPSS
0.23% (percentil 46%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-39389 is to immediately upgrade the AnalyticsWP plugin to version 2.1.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. While not a complete solution, implementing a Web Application Firewall (WAF) with SQL Injection rules can provide an additional layer of defense. Regularly review WordPress plugin configurations and ensure that database user permissions are restricted to the minimum necessary privileges.
Actualice el plugin AnalyticsWP a la versión 2.1.3 o posterior para mitigar la vulnerabilidad de inyección SQL. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de actualizar cualquier plugin. Verifique que su base de datos esté correctamente configurada y protegida contra accesos no autorizados.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-39389 is a critical SQL Injection vulnerability affecting AnalyticsWP WordPress plugin versions before 2.1.3, allowing attackers to potentially access and manipulate the database.
You are affected if you are using AnalyticsWP plugin versions prior to 2.1.3. Check your plugin version and upgrade immediately if necessary.
Upgrade the AnalyticsWP plugin to version 2.1.3 or later. If upgrading is not possible, temporarily disable the plugin.
While no public exploits are currently available, the ease of SQL Injection exploitation suggests a high probability of exploitation if left unpatched. Monitor for any signs of activity.
Refer to the Solid Plugins website and WordPress plugin repository for the latest advisory and update information regarding CVE-2025-39389.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.