CVE-2025-48280 HIGH

CVE-2025-48280: WordPress AutomatorWP plugin <= 5.2.1.3 - SQL Injection Vulnerability

Vendor Ruben Garcia

Product AutomatorWP

Weakness CWE-89 · SQLi

Published May 19, 2025

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

7.6/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

What the vulnerability does

01Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ruben Garcia AutomatorWP automatorwp allows Blind SQL Injection.This issue affects AutomatorWP: from n/a through <= 5.2.1.3.

Explanation of Vulnerability in Simple Terms

02Summary

AutomatorWP versions up to 5.2.1.3 contain a SQL injection vulnerability in database query handling. An authenticated administrator can inject malicious SQL code through unfiltered input, potentially reading sensitive data from the database. The vulnerability requires high-level privileges to exploit but can affect the entire site's data confidentiality.

What an attacker can do

03Attacker Capabilities

Read sensitive data from the site's database by injecting SQL commands.

Potential impact on your site

04Site Impact

Database contents could be exposed to a compromised admin account; update immediately to patch the vulnerability.

Conditions required to exploit

05Prerequisites

Attacker must have administrator-level access to the site.

Key dates

06Disclosure timeline

May 19, 2025 CVE published

April 28, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-48280 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities