CVE-2025-47490: 
WordPress vulnerability analysis and mitigation

The CVE-2025-47490 is a SQL Injection vulnerability affecting Rustaurius Ultimate WP Mail plugin versions through 1.3.4. The vulnerability was discovered and disclosed on May 7, 2025, allowing authenticated users with Contributor-level privileges or higher to perform SQL injection attacks (Wiz, NVD).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). It has received a CVSS v3.1 base score of 8.5 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L, indicating network accessibility, low attack complexity, and requiring low privileges (Patchstack).

The SQL injection vulnerability could allow malicious actors to directly interact with the database, potentially leading to unauthorized access to sensitive information stored in the WordPress database. The CVSS score indicates high potential for confidentiality breach and low impact on availability (Patchstack).

The vulnerability has been patched in version 1.3.5 of the Ultimate WP Mail plugin. Users are advised to update to this version or later to remove the vulnerability. For Patchstack users, enabling auto-update for vulnerable plugins is recommended as an additional security measure (Patchstack).