CVE-2025-52717: 
WordPress vulnerability analysis and mitigation

An SQL Injection vulnerability (CVE-2025-52717) was discovered in the WordPress LifterLMS plugin affecting versions up to 8.0.6. The vulnerability was reported by researcher ChuongVN on June 2, 2025, and publicly disclosed on July 1, 2025. This unauthenticated SQL injection vulnerability allows attackers to interact directly with the database of affected WordPress installations (Patchstack Database).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command (CWE-89). It received a CVSS v3.1 score of 9.3 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L. The high severity score indicates that the vulnerability is easily exploitable, requires no privileges, and can be executed without user interaction (NVD, Patchstack Database).

The vulnerability allows malicious actors to directly interact with the database, potentially leading to unauthorized access to sensitive information. Given its unauthenticated nature and critical severity rating, the vulnerability is expected to become mass exploited, putting all unpatched installations at risk (Patchstack Database).

The vulnerability has been patched in LifterLMS version 8.0.7. Users are strongly advised to update to this version or later immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks (Patchstack Database).