WordPress Plugin Vulnerabilities

Recipe Card Blocks < 3.4.13 - Contributor+ SQLi

Description

The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks.

Proof of Concept

Affects Plugins

Plugin icon
recipe-card-blocks-by-wpzoom
Fixed in 3.4.13

References

CVE
CVE-2025-14973

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Purachai Phonwisut
Submitter
Purachai Phonwisut
Verified
Yes
WPVDB ID
76f7d5d4-ba45-4bfd-bda9-ab0769e81107

Timeline

Publicly Published
2026-01-05 (about 21 days ago)
Added
2026-01-05 (about 20 days ago)
Last Updated
2026-01-05 (about 20 days ago)

Other

Published
Title
Published
2025-11-20
Title
WP Directory Kit < 1.4.4 - Unauthenticated SQL Injection via select_2_ajax() Function
Published
2021-10-25
Title
MainWP Child < 4.1.8 - Admin+ SQL Injection
Published
2014-08-01
Title
A to Z Category Listing <= 1.3 - SQL Injection
Published
2014-08-01
Title
Easy Webinar - get_widget.php wid Parameter SQL Injection
Published
2022-01-05
Title
Rearrange Woocommerce Products < 3.0.8 - Subscriber+ SQL Injection