Plataforma
wordpress
Componente
allmart-core
Corrigido em
1.1.1
CVE-2025-69304 describes a critical SQL Injection vulnerability affecting the Allmart WordPress theme. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 through 1.1. A patch is expected to be released by the vendor.
The SQL Injection vulnerability in Allmart allows an attacker to bypass security measures and directly interact with the underlying database. Due to the blind nature of the injection, attackers must iteratively probe the database to extract information, making the process time-consuming but still feasible. Sensitive data at risk includes user credentials, customer information, order details, and potentially even database schema information. Successful exploitation could lead to complete compromise of the WordPress site and its associated data. This vulnerability shares similarities with other SQL injection flaws where attackers can bypass authentication and gain administrative access.
CVE-2025-69304 was published on 2026-02-20. The CVSS score of 9.3 indicates a critical severity. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's nature makes it likely that a POC will be developed. It is not currently listed on CISA KEV. Active exploitation is not yet confirmed, but the high severity warrants immediate attention.
Websites using the Allmart WordPress theme, particularly those with sensitive data stored in the database, are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/allmart-core/• generic web:
curl -I https://your-wordpress-site.com/ | grep SQL• wordpress / composer / npm:
wp plugin list | grep allmart• wordpress / composer / npm:
wp plugin update allmartdisclosure
Status do Exploit
EPSS
0.04% (percentil 12%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-69304 is to upgrade to a patched version of the Allmart WordPress theme as soon as it becomes available. In the interim, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL injection attempts targeting the vulnerable endpoints. Consider using parameterized queries or prepared statements in your WordPress code to prevent SQL injection vulnerabilities in the future. Regularly review and sanitize user inputs to further reduce the attack surface.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-69304 is a critical SQL Injection vulnerability in the Allmart WordPress theme, allowing attackers to extract data via blind SQL injection. It affects versions 0.0.0–1.1.
If you are using the Allmart WordPress theme versions 0.0.0 through 1.1, you are potentially affected by this vulnerability. Check your theme version immediately.
Upgrade to a patched version of the Allmart WordPress theme as soon as it's released. Until then, implement a WAF and sanitize user inputs.
Active exploitation is not yet confirmed, but the high severity warrants immediate attention and proactive mitigation.
Please refer to the Allmart theme developer's website or WordPress plugin repository for the official advisory and patch release.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.