CVE-2025-12483

6.5 MEDIUM

SQL Injection

📋 TL;DR

This SQL injection vulnerability in the Visualizer WordPress plugin allows authenticated attackers with Contributor-level access or higher to inject malicious SQL queries via the 'query' parameter. This can lead to unauthorized data extraction from the database, potentially exposing sensitive information. The vulnerability affects all versions up to and including 3.11.12.

💻 Affected Systems

Products:

• Visualizer: Tables and Charts Manager for WordPress

Versions: All versions up to and including 3.11.12

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: WordPress sites with the Visualizer plugin installed and Contributor-level users or higher.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

1. Review the CVE details at NVD
2. Check vendor security advisories for your specific version
3. Test if the vulnerability is exploitable in your environment
4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including extraction of user credentials, sensitive content, and potential privilege escalation leading to full site takeover.

🟠

Likely Case

Extraction of sensitive data such as user information, plugin settings, and potentially other WordPress table data accessible via SQL injection.

🟢

If Mitigated

Limited data exposure if proper database permissions are configured and sensitive data is encrypted at rest.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated access (Contributor or higher). Version 3.11.13 raises minimum user-level to Administrator.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.11.14

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3405160%40visualizer%2Ftrunk&old=3355840%40visualizer%2Ftrunk&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Visualizer plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 3.11.14 from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Temporary User Role Restriction

linux

Remove Contributor and Author roles until patch can be applied

Copy

wp user list --role=contributor --field=ID | xargs wp user set-role {ID} subscriber
wp user list --role=author --field=ID | xargs wp user set-role {ID} editor

🧯 If You Can't Patch

• Disable the Visualizer plugin completely via WordPress admin or by renaming plugin directory
• Implement WAF rules to block SQL injection patterns targeting the 'query' parameter

🔍 How to Verify

Check if Vulnerable:

Copy

Check WordPress admin → Plugins → Visualizer version. If version is 3.11.12 or lower, system is vulnerable.

Check Version:

Copy

wp plugin get visualizer --field=version

Verify Fix Applied:

Copy

Confirm Visualizer plugin version is 3.11.14 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

• Unusual SQL queries in WordPress debug logs
• Multiple failed login attempts followed by successful Contributor/Author login

Network Indicators:

• POST requests to /wp-admin/admin-ajax.php with 'query' parameter containing SQL keywords

SIEM Query:

Copy

source="wordpress.log" AND "admin-ajax.php" AND "query=" AND ("UNION" OR "SELECT" OR "INSERT" OR "UPDATE" OR "DELETE")

📊 Metadata

CVE ID: CVE-2025-12483

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

EPSS Score: 0.04% exploit probability (11.2th percentile)

Published: December 2, 2025

Last Updated: December 2, 2025

🔗 References

• https://plugins.trac.wordpress.org/browser/visualizer/tags/3.11.12/classes/Visualizer/Gutenberg/Block.php#L499
• https://plugins.trac.wordpress.org/browser/visualizer/tags/3.11.12/classes/Visualizer/Source/Query.php#L173
• https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3405160%40visualizer%2Ftrunk&old=3355840%40visualizer%2Ftrunk&sfp_email=&sfph_mail=
• https://www.wordfence.com/threat-intel/vulnerabilities/id/94392c66-6e50-48bb-93cb-9aa9d0229761?source=cve

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12483, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)

CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)

CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)