CVE-2025-0853: 
WordPress vulnerability analysis and mitigation

The PGS Core plugin for WordPress contains a SQL Injection vulnerability (CVE-2025-0853) discovered in the 'save_header_builder' function. The vulnerability affects all versions up to and including 5.8.0, where insufficient escaping of the 'event' parameter and inadequate SQL query preparation create a security risk. This vulnerability was disclosed on May 6, 2025, and allows unauthenticated attackers to manipulate SQL queries (NVD, Wiz).

The vulnerability is classified as SQL Injection (CWE-89) and has received a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The technical issue stems from insufficient escaping of the 'event' parameter in the 'save_header_builder' function, allowing attackers to append additional SQL queries to existing ones (NVD).

The vulnerability allows unauthenticated attackers to extract sensitive information from the database by injecting malicious SQL queries into existing database operations. This presents a significant data confidentiality risk as indicated by the high CVSS score (Wiz).

Users should update their PGS Core plugin to a version newer than 5.8.0 when available. The changelog indicates that security fixes have been implemented in recent updates (PGS Changelog).