CVE-2025-24728: 
WordPress vulnerability analysis and mitigation

The Bug Library WordPress plugin was found to contain an SQL Injection vulnerability (CVE-2025-24728) affecting versions up to and including 2.1.4. The vulnerability was discovered by researcher stealthcopter and publicly disclosed on January 24, 2025. This security issue affects authenticated users with contributor-level access or higher (WPScan).

The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries in the Bug Library plugin. This security flaw allows authenticated attackers with contributor-level privileges to append additional SQL queries to existing ones, potentially enabling the extraction of sensitive information from the database. The vulnerability has been assigned a CVSS score of 6.5 (medium) and is classified under OWASP Top 10 A1: Injection and CWE-89 (WPScan, Patchstack).

The exploitation of this vulnerability could allow malicious actors to directly interact with the database, potentially leading to unauthorized access and theft of sensitive information stored within the WordPress database (Patchstack).

The vulnerability has been patched in version 2.1.5 of the Bug Library plugin. Site administrators are strongly advised to update to this version or later to remediate the security risk. Users of Patchstack can enable auto-updates for vulnerable plugins as an additional security measure (Patchstack).