CVE-2025-2511: 
WordPress vulnerability analysis and mitigation

The AHAthat Plugin for WordPress contains a time-based SQL Injection vulnerability (CVE-2025-2511) in all versions up to and including 1.6. The vulnerability was discovered and disclosed on March 19, 2025, affecting the plugin's handling of the 'id' parameter. The plugin has been closed since December 6, 2024, due to security issues (NVD Database, WordPress Plugin).

The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries, specifically in the handling of the 'id' parameter. The vulnerability has been assigned a CVSS v3.1 base score of 4.9 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. The weakness is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) (NVD Database).

The vulnerability allows authenticated attackers with Administrator-level access to append additional SQL queries to existing queries, potentially enabling the extraction of sensitive information from the database (NVD Database).

The plugin has been closed and is no longer available for download since December 6, 2024. Users are advised to remove the plugin from their WordPress installations as there are no patches available (WordPress Plugin).