CVE-2025-32618: 
WordPress vulnerability analysis and mitigation

The CVE-2025-32618 is a SQL Injection vulnerability discovered in the PickPlugins Wishlist WordPress plugin affecting versions through 1.0.43. The vulnerability was disclosed on April 11, 2025, and allows authenticated users with Subscriber level privileges or higher to perform SQL injection attacks (Patchstack).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) with a CVSS v3.1 Base Score of 8.5 (HIGH). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N). The scope is changed (S:C) with high confidentiality impact (C:H), no integrity impact (I:N), and low availability impact (A:L) (NVD).

The SQL injection vulnerability could allow malicious actors to directly interact with the database, potentially leading to unauthorized access to sensitive information, data theft, and possible database manipulation. Given the high CVSS score of 8.5, this vulnerability is considered highly dangerous and is expected to become mass exploited (Patchstack).

While no official fix is currently available, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the virtual patch immediately or consider temporarily disabling the plugin if virtual patching is not an option (Patchstack).