CRITICALCVE-2025-54726CVSS 9.3

WordPress JS Archive List Plugin < 6.1.6 - SQL Injection Vulnerability

Q: What is CVE-2025-54726 — SQL Injection in JS Archive List?

CVE-2025-54726 is a critical SQL Injection vulnerability affecting JS Archive List versions 0.0.0 through 6.1.6, allowing attackers to inject malicious SQL code.

Q: Am I affected by CVE-2025-54726 in JS Archive List?

If you are using JS Archive List version 0.0.0 through 6.1.6 on your WordPress site, you are potentially affected by this vulnerability.

Q: How do I fix CVE-2025-54726 in JS Archive List?

Upgrade JS Archive List to version 6.1.6 or later to resolve the SQL Injection vulnerability. Consider WAF rules as a temporary workaround.

Q: Is CVE-2025-54726 being actively exploited?

While no confirmed exploitation is public, the vulnerability's severity and ease of exploitation suggest a high probability of active exploitation.

Q: Where can I find the official JS Archive List advisory for CVE-2025-54726?

Refer to the official JS Archive List project website or relevant security forums for the latest advisory and updates regarding CVE-2025-54726.

翻译中…

平台

wordpress

组件

jquery-archive-list-widget

修复版本

6.1.7

AI Confidence: highNVDEPSS 0.9%已审阅: 2026年5月

在NVD查看

保存

正在翻译为您的语言…

CVE-2025-54726 describes a SQL Injection vulnerability discovered in JS Archive List, a jQuery widget. This flaw allows attackers to inject malicious SQL code, potentially gaining unauthorized access to sensitive data stored within the database. The vulnerability impacts versions from 0.0.0 up to and including 6.1.6. A patch has been released in version 6.1.6.

WordPress

检测此 CVE 是否影响你的项目

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描

影响与攻击场景翻译中…

Successful exploitation of this SQL Injection vulnerability could allow an attacker to bypass authentication mechanisms, read, modify, or delete sensitive data stored in the database. Depending on the database structure and permissions, an attacker might be able to escalate privileges and gain control over the entire WordPress installation. The impact is particularly severe if the database contains user credentials, financial information, or other confidential data. This vulnerability follows a common SQL Injection pattern, making it a high-priority target for automated scanning tools.

利用背景翻译中…

CVE-2025-54726 was publicly disclosed on 2025-08-20. The vulnerability's severity is rated as CRITICAL (CVSS 9.3). While no public proof-of-concept (PoC) code has been released, the ease of SQL Injection exploitation suggests a high probability of exploitation if left unpatched. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.

哪些人处于风险中翻译中…

WordPress websites utilizing the JS Archive List plugin, particularly those running older versions (0.0.0 - 6.1.6), are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially impact others.

检测步骤翻译中…

• wordpress / composer / npm:

grep -r "JS Archive List" /var/www/html/wp-content/plugins/
wp plugin list | grep "JS Archive List"

• generic web:

curl -I https://your-wordpress-site.com/wp-content/plugins/js-archive-list-widget/ | grep Server

攻击时间线

2025-08-20Disclosure
disclosure

威胁情报

漏洞利用状态

概念验证未知

CISA KEVNO

互联网暴露高

报告1 份威胁报告

EPSS

0.92% (76% 百分位)

CISA SSVC

利用情况none

可自动化yes

技术影响partial

CVSS 向量

这些指标意味着什么？

Attack Vector: 网络 — 可通过互联网远程利用，无需物理或本地访问。攻击面最大。
Attack Complexity: 低 — 无需特殊条件，可以稳定地利用漏洞。
Privileges Required: 无 — 无需认证，无需凭证即可利用。
User Interaction: 无 — 攻击自动且无声，受害者无需任何操作。
Scope: 已改变 — 攻击可以超出脆弱组件，影响其他系统。
Confidentiality: 高 — 完全丧失机密性，攻击者可读取所有数据。
Integrity: 无 — 无完整性影响。
Availability: 低 — 部分或间歇性拒绝服务。

受影响的软件

组件jquery-archive-list-widget

供应商Miguel Useche

影响范围修复版本

0.0.0 – 6.1.66.1.7

软件包信息

活跃安装数: 3K小众
插件评分: 4.8
需要WordPress版本: 4.7+
兼容至: 6.9.4
需要PHP版本: 7.4+

主页

弱点分类 (CWE)

CWE-89

时间线

已保留2025-07-28
发布日期2025-08-20
修改日期2026-04-28
EPSS 更新日期2026-03-23

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2025-54726 is to immediately upgrade JS Archive List to version 6.1.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious SQL queries targeting the vulnerable endpoint. Carefully review and sanitize all user inputs before incorporating them into SQL queries. Regularly audit database permissions to minimize the potential impact of a successful attack.

修复方法翻译中…

Actualice el plugin JS Archive List a una versión superior a 6.1.6 para mitigar la vulnerabilidad de inyección SQL.  Verifique la página del plugin en wordpress.org para obtener la última versión disponible y siga las instrucciones de actualización proporcionadas por el desarrollador.

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2025-54726 — SQL Injection in JS Archive List?

CVE-2025-54726 is a critical SQL Injection vulnerability affecting JS Archive List versions 0.0.0 through 6.1.6, allowing attackers to inject malicious SQL code.

Am I affected by CVE-2025-54726 in JS Archive List?

If you are using JS Archive List version 0.0.0 through 6.1.6 on your WordPress site, you are potentially affected by this vulnerability.

How do I fix CVE-2025-54726 in JS Archive List?

Upgrade JS Archive List to version 6.1.6 or later to resolve the SQL Injection vulnerability. Consider WAF rules as a temporary workaround.

Is CVE-2025-54726 being actively exploited?

While no confirmed exploitation is public, the vulnerability's severity and ease of exploitation suggest a high probability of active exploitation.

Where can I find the official JS Archive List advisory for CVE-2025-54726?

Refer to the official JS Archive List project website or relevant security forums for the latest advisory and updates regarding CVE-2025-54726.

你的项目受影响吗?

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE