WordPress Local Magic plugin <= 2.9.0 - SQL Injection vulnerability
翻译中…平台
wordpress
组件
local-magic
修复版本
2.9.1
CVE-2025-32636 identifies a SQL Injection vulnerability within the Local Magic WordPress plugin. This flaw allows attackers to inject malicious SQL code, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions 0.0.0 through 2.9.0 of the plugin, and a fix is available in version 2.9.1.
检测此 CVE 是否影响你的项目
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
影响与攻击场景翻译中…
Successful exploitation of this SQL Injection vulnerability could grant an attacker complete control over the WordPress database. This includes the ability to read, modify, or delete sensitive information such as user credentials, post content, and configuration settings. An attacker could also leverage this access to escalate privileges, gain remote code execution on the server, or launch further attacks against other systems within the network. The potential for data exfiltration and system compromise is significant, particularly in environments where Local Magic is used to manage sensitive project data.
利用背景翻译中…
CVE-2025-32636 was publicly disclosed on April 17, 2025. The vulnerability's severity and ease of exploitation suggest a medium probability of exploitation (EPSS score likely medium). Public proof-of-concept (PoC) code is anticipated given the widespread use of WordPress and the relatively straightforward nature of SQL Injection attacks. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
哪些人处于风险中翻译中…
WordPress sites utilizing the Local Magic plugin, particularly those running versions 0.0.0 through 2.9.0, are at significant risk. Shared hosting environments where multiple WordPress installations share the same database are especially vulnerable, as a compromise of one site could potentially impact others. Sites using older, unpatched versions of WordPress itself may also be at increased risk due to potential interaction vulnerabilities.
检测步骤翻译中…
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/local-magic/• generic web:
curl -I 'http://your-wordpress-site.com/wp-admin/admin.php?page=local-magic&action=some_vulnerable_function' | grep 'SQL injection attempt'• wordpress / composer / npm:
wp plugin list --status=inactive | grep local-magic攻击时间线
- Disclosure
disclosure
威胁情报
漏洞利用状态
EPSS
0.23% (46% 百分位)
CISA SSVC
CVSS 向量
这些指标意味着什么?
- Attack Vector
- 网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
- Attack Complexity
- 低 — 无需特殊条件,可以稳定地利用漏洞。
- Privileges Required
- 无 — 无需认证,无需凭证即可利用。
- User Interaction
- 无 — 攻击自动且无声,受害者无需任何操作。
- Scope
- 已改变 — 攻击可以超出脆弱组件,影响其他系统。
- Confidentiality
- 高 — 完全丧失机密性,攻击者可读取所有数据。
- Integrity
- 无 — 无完整性影响。
- Availability
- 低 — 部分或间歇性拒绝服务。
受影响的软件
软件包信息
- 活跃安装数
- 100小众
- 插件评分
- 0.0
- 需要WordPress版本
- 3.5.1+
- 兼容至
- 6.8.5
- 需要PHP版本
- 5.6.0+
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
- 修改日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The primary mitigation for CVE-2025-32636 is to immediately upgrade the Local Magic plugin to version 2.9.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious SQL queries targeting vulnerable endpoints. Additionally, review and restrict database user permissions to limit the impact of a successful SQL Injection attack. Monitor WordPress logs for suspicious SQL activity and implement intrusion detection systems to identify and respond to potential exploitation attempts.
修复方法翻译中…
Actualice el plugin Local Magic a la versión 2.9.1 o superior para mitigar la vulnerabilidad de inyección SQL. Asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar cualquier plugin. Verifique que su base de datos esté actualizada y configurada con las mejores prácticas de seguridad.
CVE 安全通讯
漏洞分析和关键警报直接发送到您的邮箱。
常见问题翻译中…
What is CVE-2025-32636 — SQL Injection in Local Magic WordPress Plugin?
CVE-2025-32636 is a critical SQL Injection vulnerability affecting Local Magic versions 0.0.0 through 2.9.0, allowing attackers to inject malicious SQL code and potentially gain unauthorized database access.
Am I affected by CVE-2025-32636 in Local Magic WordPress Plugin?
You are affected if you are using Local Magic versions 0.0.0 to 2.9.0. Immediately check your plugin version and upgrade if necessary.
How do I fix CVE-2025-32636 in Local Magic WordPress Plugin?
Upgrade Local Magic to version 2.9.1 or later. Consider implementing a WAF rule as an interim measure if immediate upgrading is not possible.
Is CVE-2025-32636 being actively exploited?
While active exploitation is not yet confirmed, the vulnerability's severity and ease of exploitation suggest a medium probability of exploitation. Monitor security advisories for updates.
Where can I find the official Local Magic advisory for CVE-2025-32636?
Refer to the Local Magic plugin website and WordPress.org plugin repository for the official advisory and update information.