Stored Cross-Site Scripting Vulnerability in EZ SQL Reports Shortcode Widget by WordPress
CVE-2025-6462

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Ez Sql Reports Shortcode Widget And Db Backup
Vendor: CVE Published:; 29 June 2025

What is CVE-2025-6462?

The EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress is vulnerable to stored cross-site scripting (XSS) attacks due to inadequate input validation and output encoding for user-supplied attributes in the SQLREPORT shortcode. This vulnerability can be exploited by authenticated users with at least contributor-level access, allowing them to inject malicious scripts that will execute when other users visit the affected pages. The vulnerability exists in all versions up to and including 5.25.11, highlighting the critical need for proper sanitization practices to protect user interactions within the application.

Affected Version(s)

EZ SQL Reports Shortcode Widget and DB Backup * <= 5.25.11

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/elisqlreports/#developers

https://plugins.trac.wordpress.org/changeset/3318513/

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2025
Vulnerability Reserved
Jun 20, 2025

Credit

Gilang Asra Bilhadi