CVE-2025-46455: 
WordPress vulnerability analysis and mitigation

An SQL Injection vulnerability (CVE-2025-46455) was discovered in IndigoThemes WP HRM LITE WordPress plugin affecting versions through 1.1. The vulnerability was reported by researcher Hiro (Code016Hiro) on April 17, 2025, and was publicly disclosed on April 25, 2025. This security flaw involves improper neutralization of special elements used in SQL commands, allowing unauthenticated attackers to perform SQL injection attacks (Patchstack, Wiz).

The vulnerability has been assigned a CVSS v3.1 score of 9.3 (Critical severity), indicating its critical nature. The security flaw is classified under the OWASP Top 10 category A3: Injection and CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The vulnerability requires no authentication to exploit, making it particularly dangerous (Patchstack).

This SQL injection vulnerability could allow malicious actors to directly interact with the database, potentially leading to unauthorized data access, manipulation, or theft of sensitive information. Given its high CVSS score and unauthenticated nature, the vulnerability is expected to become mass exploited (Patchstack).

While no official fix is currently available, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks. Website administrators are advised to implement the virtual patch immediately until an official fix becomes available (Patchstack).