SQL Injection Vulnerability in B1.lt Plugin for WordPress
CVE-2025-6717

6.5MEDIUM

Key Information:

Vendor

WordPress
Status
B1.lt
Vendor
CVE Published:
18 July 2025

What is CVE-2025-6717?

The B1.lt plugin for WordPress is susceptible to SQL Injection through the 'id' parameter due to improper parameter escaping and inadequate preparation in SQL queries. This vulnerability permits authenticated attackers with Subscriber-level access or higher to inject arbitrary SQL queries into existing database queries. As a result, it opens up the potential for unauthorized access to sensitive database content, making it critical for users to ensure they are running the latest version of the plugin.

Affected Version(s)

B1.lt * <= 2.2.56

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://wordpress.org/plugins/b1-accounting/

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Aurélien BOURDOIS
.
CVE-2025-6717 : SQL Injection Vulnerability in B1.lt Plugin for WordPress