CVE-2025-49897: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2025-49897) has been identified in gopiplus Vertical scroll slideshow gallery v2 WordPress plugin affecting versions through 9.1. The vulnerability was discovered and reported by Peter Thaleikis, with public disclosure occurring on August 15, 2025 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) with a CVSS v3.1 Base Score of 8.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L). The issue allows for Blind SQL Injection attacks and requires Contributor-level privileges to exploit (NVD).

This vulnerability could allow a malicious actor with Contributor-level access to directly interact with the database, potentially leading to unauthorized data access and information theft. The software is considered abandoned, as it hasn't received updates in over a year, increasing the security risk (Patchstack).

No official fix is available as the software appears to be abandoned. The recommended mitigation strategy is to remove and replace the plugin with an alternative solution. Deactivating the software alone does not remove the security threat unless a virtual patch is deployed (Patchstack).