CVE-2025-7036: 
WordPress vulnerability analysis and mitigation

The CleverReach® WP plugin for WordPress contains a time-based SQL Injection vulnerability (CVE-2025-7036) discovered on August 5, 2025. The vulnerability affects all versions up to and including 1.5.20. The issue exists in the 'title' parameter due to insufficient escaping of user-supplied input and inadequate SQL query preparation (NVD).

The vulnerability is classified as SQL Injection (CWE-89) with a CVSS v3.1 base score of 7.5 (HIGH), and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue stems from improper handling of the 'title' parameter in the plugin's search functionality, allowing attackers to append additional SQL queries to existing database queries (Wordfence).

The vulnerability allows unauthenticated attackers to extract sensitive information from the database through SQL injection techniques. The high CVSS score indicates significant potential for data compromise, though integrity and availability are not directly affected (NVD).

The plugin has been temporarily closed as of August 1, 2025, pending a full security review. Users are advised to disable the plugin until a patched version is released (WordPress).