CVE-2025-46539: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2025-46539 affects the WordPress plugin Fable Extra versions 1.0.6 and below. This security flaw was discovered by researcher timomangcut and was publicly disclosed on April 25, 2025. The vulnerability is classified as an Unauthenticated SQL Injection issue, which has received a CVSS score of 9.3 (Critical severity) (Wiz, Patchstack).

The vulnerability is categorized as an Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) with a CVSS v3.1 score of 9.3, indicating its critical nature. The security flaw allows for SQL Injection attacks that can be executed without requiring authentication, making it particularly dangerous. The vulnerability was initially reported on April 8, 2025, and was subsequently patched in version 1.0.7 of the plugin (Patchstack).

This SQL Injection vulnerability could allow malicious actors to directly interact with the website's database, potentially leading to unauthorized data access, manipulation, or theft of sensitive information. The high CVSS score indicates that this vulnerability is considered highly dangerous and is expected to become mass exploited (Patchstack).

Website administrators are strongly advised to update the Fable Extra plugin to version 1.0.7 or later immediately. For users of Patchstack, a virtual patch has been issued to mitigate this issue by blocking potential attacks until the update can be applied. The patch was made available on April 27, 2025 (Patchstack).