– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-69310 (metadata-based): This vulnerability is an unauthenticated SQL injection in the Woodly Core WordPress plugin, version 1.4 and earlier. The flaw allows attackers to execute arbitrary SQL commands via a user-supplied parameter, leading to sensitive data extraction from the WordPress database. The CVSS score of 7.5 (High) reflects its network-based, low-complexity attack vector with no authentication requirement.

The root cause is improper neutralization of special elements in an SQL command (CWE-89). The vulnerability description states insufficient escaping on a user-supplied parameter and a lack of sufficient preparation on an existing SQL query. Atomic Edge research infers the plugin likely constructs SQL queries by directly concatenating user input into the query string without using parameterized queries via `$wpdb->prepare()`. This conclusion is based on the CWE classification and the description’s mention of insufficient escaping and preparation.

Exploitation likely occurs via a public-facing WordPress hook, such as an AJAX endpoint registered with `wp_ajax_nopriv_` or a REST API endpoint. An attacker would send a crafted HTTP request containing a malicious SQL payload in a specific parameter. For example, a request to `/wp-admin/admin-ajax.php` with an `action` parameter like `woodly_core_action` and an injectable parameter like `id` could be used. A payload such as `1′ UNION SELECT user_login,user_pass FROM wp_users– -` would attempt to extract user credentials.

Remediation requires using WordPress’s built-in database abstraction layer correctly. The fix must replace direct string concatenation in SQL statements with prepared statements using `$wpdb->prepare()`. Input validation and sanitization functions like `sanitize_text_field()` should also be applied, but they are not substitutes for proper query parameterization. The patched version should ensure all SQL queries use `$wpdb->prepare()` with placeholders for variable data.

Successful exploitation leads to full compromise of the WordPress database confidentiality. Attackers can extract all data, including hashed user passwords, session tokens, personal information, and other sensitive content stored in plugin-specific tables. This data exposure can facilitate further attacks like password cracking, account takeover, or privilege escalation within the WordPress site.