CVE-2025-27281 – This SQL injection vulnerability in the All In ... (How to Fix)

📋 TL;DR

This SQL injection vulnerability in the All In Menu WordPress plugin allows attackers to execute arbitrary SQL commands against the database. It affects all versions up to 1.1.5, potentially compromising websites using this plugin.

💻 Affected Systems

Products:

All In Menu WordPress Plugin

Versions: n/a through 1.1.5

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations using vulnerable versions of the plugin

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, or full website takeover

🟠

Likely Case

Data extraction from the WordPress database including user credentials, sensitive content, or configuration data

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage

🌐 Internet-Facing: HIGH - WordPress plugins are typically internet-facing and accessible to attackers

🏢 Internal Only: LOW - This is a WordPress plugin primarily deployed on public-facing websites

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Blind SQL injection requires more sophisticated exploitation but is still dangerous

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 1.1.5

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/all-in-menu/vulnerability/wordpress-all-in-menu-plugin-1-1-5-sql-injection-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'All In Menu' plugin
4. Click 'Update Now' if available
5. If no update available, deactivate and remove the plugin

🔧 Temporary Workarounds

Input Validation Filter

WordPress

Add custom input validation to sanitize all user inputs before processing

Add input sanitization functions in plugin code: esc_sql(), $wpdb->prepare()

🧯 If You Can't Patch

Immediately deactivate and remove the All In Menu plugin from WordPress
Implement web application firewall (WAF) rules to block SQL injection patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → All In Menu → Version number

Check Version:

wp plugin list --name='all-in-menu' --field=version

Verify Fix Applied:

Verify plugin version is greater than 1.1.5 or plugin is removed

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in WordPress debug logs
Multiple failed SQL query attempts

Network Indicators:

HTTP requests with SQL syntax in parameters
Unusual database connection patterns

SIEM Query:

source="wordpress.log" AND ("SQL syntax" OR "database error" OR "wp_all_in_menu")

📊 Metadata

CVE ID: CVE-2025-27281

CVSS v3 Score: 8.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

CWE: CWE-89

EPSS Score: 0.12% exploit probability (31.6th percentile)

Published: March 15, 2025

Last Updated: March 15, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/all-in-menu/vulnerability/wordpress-all-in-menu-plugin-1-1-5-sql-injection-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27281, you might also want to check these: