CVE-2025-1986: 
WordPress vulnerability analysis and mitigation

The Gutentor WordPress plugin before version 3.4.7 contains a SQL injection vulnerability identified as CVE-2025-1986. The vulnerability was discovered and reported by researcher Greshow, and was publicly disclosed on March 11, 2025. The issue affects the plugin's parameter handling in SQL statements, specifically impacting WordPress installations using the Gutentor plugin (WPScan).

The vulnerability stems from improper parameter handling where the plugin fails to sanitize and escape a parameter before using it in a SQL statement. The issue can be exploited through the WordPress REST API endpoint at '/wp-json/gutentor-self-api/v1/get_authors'. The vulnerability has been assigned a CVSS score of 4.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N, indicating network accessibility with low attack complexity but requiring high privileges (NIST NVD).

The vulnerability allows authenticated administrators to perform SQL injection attacks against the affected WordPress installation. While the impact is somewhat limited due to the high privilege requirement (admin access), successful exploitation could lead to unauthorized database access and potential data manipulation (WPScan).

The vulnerability has been patched in Gutentor version 3.4.7. Users are advised to update to this version or later to mitigate the risk. No alternative workarounds have been publicly documented (WPScan).