CVE-2025-24667: 
WordPress vulnerability analysis and mitigation

An SQL Injection vulnerability (CVE-2025-24667) was discovered in the WordPress Small Package Quotes – Worldwide Express Edition plugin versions 5.2.17 and below. The vulnerability was reported by security researcher Colin Xu on December 19, 2024, and was publicly disclosed on January 18, 2025 (Patchstack Database).

The vulnerability is classified as an SQL Injection issue with a CVSS score of 9.3 (High severity). It falls under the OWASP Top 10 category A3: Injection. The vulnerability can be exploited without authentication, making it particularly dangerous. The technical assessment indicates that this vulnerability could allow attackers to directly interact with the database (Patchstack Database).

This high-severity vulnerability could enable malicious actors to directly interact with the database, potentially leading to unauthorized access to sensitive information. The vulnerability is expected to become mass exploited, according to security assessments (Patchstack Database).

The vulnerability has been fixed in version 5.2.18 of the Small Package Quotes – Worldwide Express Edition plugin. Users are strongly advised to update to this version or later immediately. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack Database).