CVE-2025-54726: 
WordPress vulnerability analysis and mitigation

The JS Archive List WordPress plugin versions prior to 6.1.6 contains an SQL Injection vulnerability (CVE-2025-54726). This high-severity vulnerability was discovered by researcher Bao - BlueRock and publicly disclosed on August 27, 2025. The vulnerability affects the plugin's core functionality and allows unauthenticated attackers to perform SQL injection attacks (Patchstack).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') with a CVSS v3.1 base score of 9.3 (CRITICAL). The attack vector is network-accessible (AV:N), requires low attack complexity (AC:L), needs no privileges (PR:N), requires no user interaction (UI:N), and can affect resources beyond the security scope (S:C) with high confidentiality impact (C:H) and low availability impact (A:L) (Patchstack).

This vulnerability is considered highly dangerous and expected to become mass exploited. It could allow malicious actors to directly interact with the database, potentially leading to unauthorized access to sensitive information, data manipulation, or data theft. The critical CVSS score of 9.3 indicates severe potential impact on affected systems (Patchstack).

Users are strongly advised to update to version 6.1.6 or later immediately to resolve the vulnerability. For users of Patchstack services, a virtual patch has been issued to mitigate this issue by blocking potential attacks until the update can be applied. Additionally, Patchstack users can enable auto-update functionality for vulnerable plugins (Patchstack).