SQL Injection Vulnerability in I Thirteen Web Solution Email Subscription Popup Plugin
CVE-2025-24587

7.6HIGH

Key Information:

Vendor: WordPress
Status: Email Subscription Popup
Vendor: CVE Published:; 24 January 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The Email Subscription Popup plugin by I Thirteen Web Solution is vulnerable to an SQL Injection flaw, which permits attackers to execute arbitrary SQL commands through crafted input. This weakness can be exploited to retrieve sensitive data from the database. The issue affects versions of the plugin up to and including 1.2.23, emphasizing the need for users to update their installations to secure their sites from potential exploitation.

Affected Version(s)

Email Subscription Popup <= 1.2.23

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-24587
Created by DoTTak

References

https://patchstack.com/database/wordpress/plugin/email-su...

vdb-entry

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

🟡
Public PoC available
Jan 31, 2025
👾
Exploit known to exist
Jan 31, 2025
Vulnerability published
Jan 24, 2025
Vulnerability Reserved
Jan 23, 2025

Credit

Webula (Patchstack Alliance)