平台
wordpress
组件
wp-lead-capture
修复版本
2.5.4
CVE-2025-49055 describes a SQL Injection vulnerability discovered in the WP Lead Capturing Pages WordPress plugin. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions from 0.0.0 up to and including 2.5. A patch is available in version 2.5.4.
The SQL Injection vulnerability in WP Lead Capturing Pages allows an attacker to bypass security measures and directly interact with the underlying database. By crafting malicious SQL queries, an attacker can extract sensitive information such as user credentials, personally identifiable information (PII), and potentially even gain control over the WordPress database. The 'blind' nature of the injection means the attacker doesn't receive direct feedback from the database, requiring them to infer results through trial and error, making detection more challenging. Successful exploitation could lead to complete compromise of the WordPress site and associated data.
CVE-2025-49055 was published on 2026-01-22. The vulnerability's 'blind' nature suggests a potentially higher difficulty for exploitation, but the CRITICAL CVSS score indicates significant risk. Public proof-of-concept (POC) code is currently unknown, but the vulnerability's nature makes it likely that such code will emerge. Monitor security advisories and threat intelligence feeds for updates.
Websites utilizing the WP Lead Capturing Pages plugin, particularly those running older, unpatched versions (0.0.0 - 2.5), are at significant risk. Shared hosting environments where multiple websites share the same database are especially vulnerable, as a compromise of one site could potentially impact others.
• wordpress / composer / npm:
grep -r "kamleshyadav/wp-lead-capture" /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep "WP Lead Capturing Pages"• wordpress / composer / npm:
wp plugin update --all• generic web: Check for unusual database activity in WordPress logs, specifically related to the WP Lead Capturing Pages plugin.
disclosure
漏洞利用状态
EPSS
0.04% (13% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-49055 is to immediately upgrade the WP Lead Capturing Pages plugin to version 2.5.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. Web Application Firewalls (WAFs) configured with rules to detect and block SQL injection attempts can provide an additional layer of defense. Monitor WordPress logs for suspicious SQL queries originating from the plugin’s endpoints. After upgrading, verify the fix by attempting a SQL injection payload through the plugin's input fields and confirming no data is exposed.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-49055 is a critical SQL Injection vulnerability affecting the WP Lead Capturing Pages WordPress plugin, allowing attackers to extract data via blind SQL injection.
You are affected if you are using WP Lead Capturing Pages versions 0.0.0 through 2.5. Check your plugin version and upgrade immediately.
Upgrade the WP Lead Capturing Pages plugin to version 2.5.4 or later to patch the SQL Injection vulnerability. Disable the plugin if immediate upgrade is not possible.
While active exploitation is not yet confirmed, the CRITICAL severity and nature of the vulnerability suggest it is likely to be targeted. Monitor for suspicious activity.
Refer to the plugin developer's website or WordPress.org plugin repository for the official advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。