CRITICALCVE-2025-52833CVSS 9.3

WordPress LMS theme <= 9.2 - SQL Injection Vulnerability

Q: What is CVE-2025-52833 — SQL Injection in LMS LMS Theme?

CVE-2025-52833 is a critical SQL Injection vulnerability affecting the LMS LMS Theme, allowing attackers to inject malicious SQL code and potentially access sensitive data.

Q: Am I affected by CVE-2025-52833 in LMS LMS Theme?

You are affected if you are using LMS LMS Theme versions 0.0.0 through 9.2. Upgrade to version 9.3 to mitigate the risk.

Q: How do I fix CVE-2025-52833 in LMS LMS Theme?

Upgrade the LMS LMS Theme to version 9.3 or later. Implement a WAF and input validation as temporary workarounds if upgrading is not immediately possible.

Q: Is CVE-2025-52833 being actively exploited?

While no active exploitation has been confirmed, the ease of SQL Injection exploitation suggests a high probability of exploitation if the vulnerability remains unpatched.

Q: Where can I find the official LMS advisory for CVE-2025-52833?

Refer to the official LMS website or their security advisory page for the latest information and updates regarding CVE-2025-52833.

翻译中…

平台

wordpress

组件

lms

修复版本

9.2.1

AI Confidence: highNVDEPSS 0.1%已审阅: 2026年5月

在NVD查看

保存

正在翻译为您的语言…

CVE-2025-52833 describes a SQL Injection vulnerability discovered in the LMS LMS Theme. This flaw allows attackers to inject malicious SQL code, potentially compromising sensitive data and system integrity. The vulnerability affects versions of LMS LMS Theme from 0.0.0 up to and including 9.2. A patch is available in version 9.3.

WordPress

检测此 CVE 是否影响你的项目

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描

影响与攻击场景翻译中…

Successful exploitation of this SQL Injection vulnerability could grant an attacker unauthorized access to the underlying database. This could lead to the exfiltration of sensitive user data, including usernames, passwords, and personal information. Furthermore, an attacker might be able to modify or delete data, potentially disrupting the functionality of the LMS system. The blast radius extends to any data stored within the database accessible through the vulnerable query. While no specific real-world precedent is immediately apparent, SQL Injection vulnerabilities are consistently among the most exploited web application flaws, often leading to significant data breaches.

利用背景翻译中…

CVE-2025-52833 was published on 2025-07-04. Its criticality is high due to the potential for significant data compromise. No public proof-of-concept (POC) code has been publicly released as of this writing, but the ease of exploiting SQL Injection vulnerabilities suggests a high probability of exploitation if the vulnerability remains unpatched. The vulnerability is not currently listed on the CISA KEV catalog.

哪些人处于风险中翻译中…

WordPress sites utilizing the LMS LMS Theme, particularly those running versions 0.0.0 through 9.2, are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially impact others. Sites with weak database access controls or inadequate input validation practices are also at increased risk.

检测步骤翻译中…

• wordpress / composer / npm:

grep -r "SELECT .* FROM" /var/www/html/wp-content/themes/lms/

• generic web:

curl -I https://your-wordpress-site.com/lms/vulnerable-endpoint?param='; DROP TABLE users; --

• wordpress / composer / npm:

wp plugin list --status=inactive | grep lms

攻击时间线

2025-07-04Disclosure
disclosure

威胁情报

漏洞利用状态

概念验证未知

CISA KEVNO

互联网暴露高

EPSS

0.05% (16% 百分位)

CISA SSVC

利用情况none

可自动化yes

技术影响partial

CVSS 向量

这些指标意味着什么？

Attack Vector: 网络 — 可通过互联网远程利用，无需物理或本地访问。攻击面最大。
Attack Complexity: 低 — 无需特殊条件，可以稳定地利用漏洞。
Privileges Required: 无 — 无需认证，无需凭证即可利用。
User Interaction: 无 — 攻击自动且无声，受害者无需任何操作。
Scope: 已改变 — 攻击可以超出脆弱组件，影响其他系统。
Confidentiality: 高 — 完全丧失机密性，攻击者可读取所有数据。
Integrity: 无 — 无完整性影响。
Availability: 低 — 部分或间歇性拒绝服务。

受影响的软件

组件lms

供应商wordfence

影响范围修复版本

0 – 9.29.2.1

弱点分类 (CWE)

CWE-89

时间线

已保留2025-06-19
发布日期2025-07-04
修改日期2026-04-28
EPSS 更新日期2026-03-23

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2025-52833 is to immediately upgrade the LMS LMS Theme to version 9.3 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to detect and block SQL Injection attempts targeting the vulnerable endpoints. Input validation and parameterized queries should be implemented in any custom code interacting with the database. Regularly review database access permissions to limit the potential impact of a successful attack. After upgrading, confirm the vulnerability is resolved by attempting a SQL Injection payload on the affected endpoint and verifying it is properly sanitized.

修复方法翻译中…

Update to version 9.3, or a newer patched version

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2025-52833 — SQL Injection in LMS LMS Theme?

CVE-2025-52833 is a critical SQL Injection vulnerability affecting the LMS LMS Theme, allowing attackers to inject malicious SQL code and potentially access sensitive data.

Am I affected by CVE-2025-52833 in LMS LMS Theme?

You are affected if you are using LMS LMS Theme versions 0.0.0 through 9.2. Upgrade to version 9.3 to mitigate the risk.

How do I fix CVE-2025-52833 in LMS LMS Theme?

Upgrade the LMS LMS Theme to version 9.3 or later. Implement a WAF and input validation as temporary workarounds if upgrading is not immediately possible.

Is CVE-2025-52833 being actively exploited?

While no active exploitation has been confirmed, the ease of SQL Injection exploitation suggests a high probability of exploitation if the vulnerability remains unpatched.

Where can I find the official LMS advisory for CVE-2025-52833?

Refer to the official LMS website or their security advisory page for the latest information and updates regarding CVE-2025-52833.

你的项目受影响吗?

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE