CVE-2025-52822: 
WordPress vulnerability analysis and mitigation

An SQL Injection vulnerability (CVE-2025-52822) was discovered in Iqonic Design's WP Roadmap WordPress plugin affecting versions through 2.1.3. The vulnerability was reported on June 19, 2025, and was officially disclosed by Patchstack on June 20, 2025. The issue is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) (NVD, Patchstack).

The vulnerability has received a CVSS v3.1 base score of 8.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L. The vulnerability requires Contributor or higher level privileges to exploit, and it allows malicious actors to perform SQL injection attacks against the WordPress database (Wiz, Patchstack).

This SQL Injection vulnerability could enable attackers to directly interact with the database, potentially leading to unauthorized access to sensitive information stored in the WordPress database. The vulnerability has been assessed as having a high severity impact due to its potential for data breach (Wiz).

Currently, there is no official fix available for this vulnerability. Website administrators running affected versions of the WP Roadmap plugin are advised to consider disabling the plugin until a security patch is released (Wiz, Patchstack).