CVE-2025-28982 – This SQL injection vulnerability in the WP Pipe... (How to Fix)

Q: What is the severity of CVE-2025-28982?

CVE-2025-28982 has a CVSS score of 9.3 (CRITICAL). This SQL injection vulnerability in the WP Pipes WordPress plugin allows attackers to execute arbitrary SQL commands on the database. All WordPress sites running WP Pipes versions up to 1.4.3 are affected, potentially exposing sensitive data and allowing database manipulation.

📋 TL;DR

This SQL injection vulnerability in the WP Pipes WordPress plugin allows attackers to execute arbitrary SQL commands on the database. All WordPress sites running WP Pipes versions up to 1.4.3 are affected, potentially exposing sensitive data and allowing database manipulation.

💻 Affected Systems

Products:

ThimPress WP Pipes WordPress plugin

Versions: All versions up to and including 1.4.3

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with WP Pipes plugin activated. No special configuration needed for exploitation.

📦 What is this software?

Wp Pipes by Thimpress

View all CVEs affecting Wp Pipes →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, extraction of sensitive information like user credentials, and potential site defacement.

🟢

If Mitigated

Limited impact with proper input validation and database user permissions, potentially only read access to non-sensitive data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities in WordPress plugins are frequently weaponized quickly. The public disclosure increases likelihood of exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.4.4 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/wp-pipes/vulnerability/wordpress-wp-pipes-1-4-3-sql-injection-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Pipes and click 'Update Now'. 4. Verify update to version 1.4.4 or later.

🔧 Temporary Workarounds

Disable WP Pipes Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate wp-pipes

Web Application Firewall Rules

all

Implement WAF rules to block SQL injection patterns targeting WP Pipes endpoints

🧯 If You Can't Patch

Implement strict input validation and parameterized queries in custom code
Restrict database user permissions to minimum required privileges

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WP Pipes version 1.4.3 or earlier

Check Version:

wp plugin list --name=wp-pipes --field=version

Verify Fix Applied:

Verify WP Pipes plugin version is 1.4.4 or later in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts from single IP
Unexpected database errors in WordPress logs

Network Indicators:

HTTP requests with SQL injection payloads to WP Pipes endpoints
Unusual database connection patterns

SIEM Query:

source="wordpress.log" AND "wp-pipes" AND ("sql" OR "database" OR "mysql") AND ("error" OR "warning")

📊 Metadata

CVE ID: CVE-2025-28982

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

CWE: CWE-89

EPSS Score: 0.04% exploit probability (12th percentile)

Published: July 16, 2025

Last Updated: November 26, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/wp-pipes/vulnerability/wordpress-wp-pipes-1-4-3-sql-injection-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-28982, you might also want to check these: