What the vulnerability does
01Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in favethemes Homey homey allows SQL Injection.This issue affects Homey: from n/a through <= 2.4.7.
CVE-2025-52834
CRITICAL
CVE-2025-52834: WordPress Homey theme <= 2.4.7 - SQL Injection vulnerability
CVSS base score
9.3/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Explanation of Vulnerability in Simple Terms
02Summary
Homey versions up to 2.4.7 contain a SQL injection vulnerability in database query handling. An attacker on the network can craft malicious input to extract sensitive data from the site's database or disrupt service availability. No authentication or user interaction is required. The vulnerability affects the entire application scope.
What an attacker can do
03Attacker Capabilities
Extract sensitive data from the database or cause the site to become unavailable.
Potential impact on your site
04Site Impact
Attackers can read private data from your database or crash the site without logging in.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
June 27, 2025
CVE published
April 28, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2025-36368 IBM Sterling B2B Integrator and IBM Sterling File Gateway SQL Injection
CVE-2024-12157 Popup – MailChimp, GetResponse and ActiveCampaign Intergrations <= 3.2.6 - Unauthenticated SQL Injection
CVE-2025-5612 PHPGurukul Online Fire Reporting System reporting.php sql injection
CVE-2024-12231 CodeZips Project Management System index.php sql injection
CVE-2024-12416 Woomotiv <= 3.6.1 - Unauthenticated SQL Injection
