CVE-2025-9200: 
WordPress vulnerability analysis and mitigation

The Blappsta Mobile App Plugin for WordPress (versions up to 0.8.8.8) contains a SQL Injection vulnerability identified as CVE-2025-9200. The vulnerability was discovered on October 3, 2025, affecting the nh_ynaa_comments() function due to insufficient escaping of user-supplied parameters and inadequate SQL query preparation (NVD).

The vulnerability exists in the nh_ynaa_comments() function where insufficient escaping of user-supplied parameters and lack of proper SQL query preparation allows attackers to inject additional SQL queries into existing ones. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with no required privileges or user interaction (NVD).

This vulnerability allows unauthenticated attackers to append additional SQL queries to existing queries, potentially leading to unauthorized access and extraction of sensitive information from the WordPress database (NVD).

The plugin has been closed as of September 30, 2025, pending a full security review. Users are advised to remove the plugin from their WordPress installations until a patched version becomes available (WordPress Plugin).

The plugin has received negative reviews and complaints regarding support responsiveness and business practices prior to its closure, which may have contributed to the security concerns leading to its temporary removal from the WordPress plugin repository (WordPress Plugin).