CVE-2025-5287
📋 TL;DR
This SQL injection vulnerability in the WordPress Likes and Dislikes Plugin allows unauthenticated attackers to inject malicious SQL queries through the 'post' parameter. Attackers can extract sensitive database information including user credentials, personal data, and site content. All WordPress sites using this plugin version 1.0.0 or earlier are affected.
💻 Affected Systems
- WordPress Likes and Dislikes Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to credential theft, data exfiltration, privilege escalation, and potential site takeover.
Likely Case
Extraction of sensitive user data, admin credentials, and plugin/theme configuration information.
If Mitigated
Limited information disclosure if database permissions are properly restricted and sensitive data is encrypted.
🎯 Exploit Status
SQL injection via GET/POST parameters requires minimal technical skill to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://plugins.trac.wordpress.org/browser/inprosysmedia-likes-dislikes-post/trunk/inprosysmedia-likes-dislikes-post.php#L76
Restart Required: No
Instructions:
1. Deactivate and delete the plugin via WordPress admin panel. 2. Remove plugin files from /wp-content/plugins/inprosysmedia-likes-dislikes-post/. 3. Consider alternative like/dislike plugins with security updates.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy WAF rules to block SQL injection patterns targeting the 'post' parameter.
Input Validation Filter
allAdd WordPress filter to sanitize 'post' parameter before plugin processing.
Add to theme's functions.php: add_filter('pre_post', 'intval');
🧯 If You Can't Patch
- Immediately deactivate the plugin via WordPress admin interface
- Implement network-level blocking of requests containing SQL injection patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins for 'Likes and Dislikes Plugin' version 1.0.0 or earlier.Check Version:
wp plugin list --name='Likes and Dislikes Plugin' --field=versionVerify Fix Applied:
Confirm plugin is deactivated/removed and test with SQL injection payloads that should be blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in WordPress debug logs
- Multiple requests with SQL keywords in 'post' parameter
- Requests to plugin endpoints with suspicious payloads
Network Indicators:
- HTTP requests containing SQL injection patterns in query strings
- Unusual database query patterns from web server
SIEM Query:
source="web_logs" AND (uri_path="*likes-dislikes*" AND query="*post=*SELECT*" OR query="*post=*UNION*")