CVE-2025-7670: 
WordPress vulnerability analysis and mitigation

The JS Archive List plugin for WordPress contains a time-based SQL Injection vulnerability (CVE-2025-7670) in versions up to and including 6.1.5. The vulnerability exists in the buildsqlwhere() function due to insufficient escaping of user-supplied parameters and inadequate SQL query preparation. This security flaw allows unauthenticated attackers to append additional SQL queries to existing ones, potentially extracting sensitive information from the database (NVD CVE).

The vulnerability is classified as SQL Injection (CWE-89) with a CVSS v3.1 Base Score of 7.5 (HIGH), and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue specifically affects the buildsqlwhere() function in the plugin's codebase, where insufficient input validation allows malicious SQL queries to be injected (NVD CVE).

The vulnerability enables unauthenticated attackers to execute arbitrary SQL queries against the WordPress database, potentially leading to unauthorized access to sensitive information. The high CVSS score reflects the serious nature of the potential data exposure, though the impact appears limited to data confidentiality without affecting integrity or availability (NVD CVE).

A fix has been released in version 6.1.6 of the JS Archive List plugin. Users are strongly advised to update to this latest version which includes security improvements and more efficient backend code (WordPress Plugin, GitHub Commit).