Time-based SQL Injection in Bit Assist Plugin for WordPress
CVE-2025-0821

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Chat Widget: Customer Support Button With Sms Call Button, Click To Chat Messenger, Live Chat Support Chat Button – Bit Assist
Vendor: CVE Published:; 14 February 2025

Summary

The Bit Assist plugin for WordPress is susceptible to a time-based SQL Injection vulnerability through the ‘id’ parameter. This issue arises from inadequate escaping of user-supplied input and insufficient protection in the SQL query construction. Authenticated users with Subscriber-level access or higher can exploit this flaw to inject arbitrary SQL queries into existing ones. This could lead to unauthorized access and the potential exposure of sensitive database information.

Affected Version(s)

Chat Widget: Customer Support Button with SMS Call Button, Click to Chat Messenger, Live Chat Support Chat Button – Bit Assist * <= 1.5.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/bit-assist/tag...

https://wordpress.org/plugins/bit-assist/#developers

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 14, 2025
Vulnerability Reserved
Jan 28, 2025

Credit

Arkadiusz Hydzik