Cross-Site Request Forgery in EZ SQL Reports Shortcode Widget and DB Backup for WordPress
CVE-2025-2319

8.8HIGH

Key Information:

Vendor: WordPress
Status: Ez Sql Reports Shortcode Widget And Db Backup
Vendor: CVE Published:; 25 March 2025

What is CVE-2025-2319?

The EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress is susceptible to Cross-Site Request Forgery. This vulnerability arises from inadequate nonce validation within the 'ELISQLREPORTS_menu' function, allowing unauthenticated attackers to potentially execute unauthorized commands on the server. By deceiving a site administrator into clicking a malicious link, an attacker could exploit this vulnerability. The issue is mitigated in version 5.25.10, which introduces necessary nonce checks, limiting exploitation to admin users only.

Affected Version(s)

EZ SQL Reports Shortcode Widget and DB Backup 4.11.13 <= 5.25.08

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/elisqlreports/...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 25, 2025
Vulnerability Reserved
Mar 14, 2025

Credit

lucky_buddy