SQL Injection Vulnerability in PGS Core Plugin for WordPress
CVE-2025-0853

7.5HIGH

Key Information:

Vendor: WordPress
Status: Pgs Core
Vendor: CVE Published:; 6 May 2025

What is CVE-2025-0853?

The PGS Core plugin for WordPress is susceptible to SQL Injection through the 'event' parameter in the 'save_header_builder' function. This vulnerability arises from improper escaping of user-supplied parameters and an inadequate setup of the SQL query. As a result, unauthenticated attackers can exploit this flaw by appending malicious SQL commands to existing queries. This capability could potentially permit the extraction of sensitive information from the database, posing a significant security risk.

Affected Version(s)

PGS Core * <= 5.8.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://docs.potenzaglobalsolutions.com/docs/ciyashop-wp/...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2025
Vulnerability Reserved
Jan 29, 2025

Credit

István Márton