CVE-2025-52829: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2025-52829) was discovered in DirectIQ Email Marketing WordPress plugin versions up to 2.0. The vulnerability was reported by Nguyen Kim Sang on May 15, 2025, and was publicly disclosed on June 23, 2025. This critical security flaw allows unauthenticated attackers to perform SQL injection attacks against affected WordPress installations (Patchstack).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) with a CVSS v3.1 base score of 9.3 (Critical). The attack vector is network-accessible (AV:N), requires low attack complexity (AC:L), needs no privileges (PR:N), and requires no user interaction (UI:N). The scope is changed (S:C), with high impact on confidentiality (C:H), no impact on integrity (I:N), and low impact on availability (A:L) (Patchstack).

This vulnerability could allow malicious actors to directly interact with the website's database, potentially leading to unauthorized access to sensitive information, data theft, and database manipulation. The high CVSS score of 9.3 indicates that this is a critical vulnerability with significant potential impact (Patchstack).

No official fix is currently available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks. Users are advised to either implement the virtual patch through Patchstack or consider removing and replacing the software, as it appears to be abandoned (Patchstack).