Plataforma
wordpress
Componente
jquery-archive-list-widget
Corrigido em
6.1.7
CVE-2025-54726 describes a SQL Injection vulnerability discovered in JS Archive List, a jQuery widget. This flaw allows attackers to inject malicious SQL code, potentially gaining unauthorized access to sensitive data stored within the database. The vulnerability impacts versions from 0.0.0 up to and including 6.1.6. A patch has been released in version 6.1.6.
Successful exploitation of this SQL Injection vulnerability could allow an attacker to bypass authentication mechanisms, read, modify, or delete sensitive data stored in the database. Depending on the database structure and permissions, an attacker might be able to escalate privileges and gain control over the entire WordPress installation. The impact is particularly severe if the database contains user credentials, financial information, or other confidential data. This vulnerability follows a common SQL Injection pattern, making it a high-priority target for automated scanning tools.
CVE-2025-54726 was publicly disclosed on 2025-08-20. The vulnerability's severity is rated as CRITICAL (CVSS 9.3). While no public proof-of-concept (PoC) code has been released, the ease of SQL Injection exploitation suggests a high probability of exploitation if left unpatched. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
WordPress websites utilizing the JS Archive List plugin, particularly those running older versions (0.0.0 - 6.1.6), are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r "JS Archive List" /var/www/html/wp-content/plugins/
wp plugin list | grep "JS Archive List"• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/js-archive-list-widget/ | grep Serverdisclosure
Status do Exploit
EPSS
0.92% (percentil 76%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-54726 is to immediately upgrade JS Archive List to version 6.1.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious SQL queries targeting the vulnerable endpoint. Carefully review and sanitize all user inputs before incorporating them into SQL queries. Regularly audit database permissions to minimize the potential impact of a successful attack.
Actualice el plugin JS Archive List a una versión superior a 6.1.6 para mitigar la vulnerabilidad de inyección SQL. Verifique la página del plugin en wordpress.org para obtener la última versión disponible y siga las instrucciones de actualización proporcionadas por el desarrollador.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-54726 is a critical SQL Injection vulnerability affecting JS Archive List versions 0.0.0 through 6.1.6, allowing attackers to inject malicious SQL code.
If you are using JS Archive List version 0.0.0 through 6.1.6 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade JS Archive List to version 6.1.6 or later to resolve the SQL Injection vulnerability. Consider WAF rules as a temporary workaround.
While no confirmed exploitation is public, the vulnerability's severity and ease of exploitation suggest a high probability of active exploitation.
Refer to the official JS Archive List project website or relevant security forums for the latest advisory and updates regarding CVE-2025-54726.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.