CVE-2025-26946: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability was discovered in the WP Yelp Review Slider WordPress plugin, identified as CVE-2025-26946. The vulnerability affects versions up to 8.1 of the plugin and was discovered by Phat RiO from BlueRock on January 26, 2025. The issue was officially published on February 23, 2025, and involves improper neutralization of special elements used in SQL commands, allowing for blind SQL injection attacks (Patchstack).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and has received a CVSS v3.1 base score of 7.6 (High). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring high privileges (PR:H), no user interaction (UI:N), and has a changed scope (S:C). The impact metrics indicate high confidentiality impact (C:H), no integrity impact (I:N), and low availability impact (A:L) (NVD).

The SQL injection vulnerability could allow a malicious actor with administrative privileges to directly interact with the database, potentially leading to unauthorized access to sensitive information. The severity is considered high due to the potential for data theft, although the overall patch priority is rated as low (Patchstack).

The vulnerability has been patched in version 8.2 of the WP Yelp Review Slider plugin. Users are advised to update to version 8.2 or later to remove the vulnerability. For Patchstack users, enabling auto-update for vulnerable plugins is recommended as an additional security measure (Patchstack).