CVE-2025-2248: 
WordPress vulnerability analysis and mitigation

The WP-PManager WordPress plugin through version 1.2 contains a SQL injection vulnerability identified as CVE-2025-2248. The vulnerability was discovered in early 2025 and was publicly disclosed on February 16, 2025. The issue affects the plugin's admin functionality and has received a CVSS 3.1 Base Score of 5.4 (Medium) (Wiz).

The vulnerability exists because the plugin fails to properly sanitize and escape a parameter before using it in a SQL statement. The issue specifically affects the admin interface and can be exploited through the wp-admin/admin.php endpoint with the wp-pmanager-cats page parameter. The vulnerability has received a CVSS vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (Wiz).

If successfully exploited, this vulnerability allows authenticated administrators to perform SQL injection attacks against the WordPress database. This could potentially lead to unauthorized access to or modification of database contents (WPScan).

As of the latest reports, there is no known fix available for this vulnerability. Users of the WP-PManager plugin should consider implementing additional security measures or temporarily disabling the plugin until a patch is released (Wiz).