CVE-2025-28967: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Steve Truman Contact Us page - Contact people LITE
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Steve Truman Contact Us page - Contact people LITE allows SQL Injection. This issue affects Contact Us page - Contact people LITE: from n/a through 3.7.4.
AI Analysis
Technical Summary
CVE-2025-28967 is a high-severity SQL Injection vulnerability (CWE-89) affecting the 'Contact Us page - Contact people LITE' plugin developed by Steve Truman, up to version 3.7.4. The vulnerability arises from improper neutralization of special elements in SQL commands, allowing an attacker with at least low privileges (PR:L) and no user interaction (UI:N) to inject malicious SQL code remotely over the network (AV:N). The vulnerability has a CVSS v3.1 base score of 8.5, indicating a significant risk. The scope is changed (S:C), meaning the vulnerability can impact resources beyond the initially vulnerable component. The impact vector shows high confidentiality impact (C:H), no integrity impact (I:N), and low availability impact (A:L). This suggests that an attacker can extract sensitive data from the backend database without modifying or deleting data but may cause minor service disruptions. The vulnerability is exploitable remotely without user interaction but requires some level of privileges, possibly an authenticated user or a user with limited access. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability specifically targets the SQL query handling in the Contact Us page plugin, which is commonly used in web applications to manage user inquiries and contact information. Exploitation could lead to unauthorized disclosure of sensitive data stored in the database, such as user contact details or internal configuration data, posing a significant privacy and security risk.
Potential Impact
For European organizations, this vulnerability poses a substantial threat, especially for those using the affected plugin on their websites or intranet portals. The high confidentiality impact means that sensitive personal data protected under GDPR could be exposed, leading to regulatory penalties and reputational damage. The low availability impact suggests limited disruption to services, but data leakage could facilitate further attacks or fraud. Organizations in sectors such as finance, healthcare, and government, which often handle sensitive personal data, are particularly at risk. Additionally, the vulnerability could be leveraged by attackers to perform reconnaissance or escalate privileges within the network. The requirement for some level of privileges reduces the risk of mass exploitation but does not eliminate it, as attackers may gain initial access through other means. The lack of a patch increases the urgency for mitigation. Given the interconnected nature of European digital infrastructure, exploitation in one organization could have cascading effects, including data breaches affecting partners or clients.
Mitigation Recommendations
European organizations should immediately audit their web applications to identify installations of the 'Contact Us page - Contact people LITE' plugin, particularly versions up to 3.7.4. Until an official patch is released, organizations should implement the following mitigations: 1) Restrict access to the Contact Us page to trusted users or IP ranges to limit exposure. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting this plugin. 3) Conduct code reviews and apply manual input validation and parameterized queries if possible to sanitize inputs on the Contact Us page. 4) Monitor logs for unusual database queries or error messages indicative of injection attempts. 5) Enforce the principle of least privilege on database accounts used by the plugin to minimize data exposure. 6) Prepare incident response plans for potential data breaches involving this vulnerability. 7) Engage with the vendor or community to track patch releases and apply updates promptly once available. 8) Consider temporary removal or disabling of the plugin if it is not critical to operations.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium, Sweden, Austria
CVE-2025-28967: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Steve Truman Contact Us page - Contact people LITE
Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Steve Truman Contact Us page - Contact people LITE allows SQL Injection. This issue affects Contact Us page - Contact people LITE: from n/a through 3.7.4.
AI-Powered Analysis
Technical Analysis
CVE-2025-28967 is a high-severity SQL Injection vulnerability (CWE-89) affecting the 'Contact Us page - Contact people LITE' plugin developed by Steve Truman, up to version 3.7.4. The vulnerability arises from improper neutralization of special elements in SQL commands, allowing an attacker with at least low privileges (PR:L) and no user interaction (UI:N) to inject malicious SQL code remotely over the network (AV:N). The vulnerability has a CVSS v3.1 base score of 8.5, indicating a significant risk. The scope is changed (S:C), meaning the vulnerability can impact resources beyond the initially vulnerable component. The impact vector shows high confidentiality impact (C:H), no integrity impact (I:N), and low availability impact (A:L). This suggests that an attacker can extract sensitive data from the backend database without modifying or deleting data but may cause minor service disruptions. The vulnerability is exploitable remotely without user interaction but requires some level of privileges, possibly an authenticated user or a user with limited access. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability specifically targets the SQL query handling in the Contact Us page plugin, which is commonly used in web applications to manage user inquiries and contact information. Exploitation could lead to unauthorized disclosure of sensitive data stored in the database, such as user contact details or internal configuration data, posing a significant privacy and security risk.
Potential Impact
For European organizations, this vulnerability poses a substantial threat, especially for those using the affected plugin on their websites or intranet portals. The high confidentiality impact means that sensitive personal data protected under GDPR could be exposed, leading to regulatory penalties and reputational damage. The low availability impact suggests limited disruption to services, but data leakage could facilitate further attacks or fraud. Organizations in sectors such as finance, healthcare, and government, which often handle sensitive personal data, are particularly at risk. Additionally, the vulnerability could be leveraged by attackers to perform reconnaissance or escalate privileges within the network. The requirement for some level of privileges reduces the risk of mass exploitation but does not eliminate it, as attackers may gain initial access through other means. The lack of a patch increases the urgency for mitigation. Given the interconnected nature of European digital infrastructure, exploitation in one organization could have cascading effects, including data breaches affecting partners or clients.
Mitigation Recommendations
European organizations should immediately audit their web applications to identify installations of the 'Contact Us page - Contact people LITE' plugin, particularly versions up to 3.7.4. Until an official patch is released, organizations should implement the following mitigations: 1) Restrict access to the Contact Us page to trusted users or IP ranges to limit exposure. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting this plugin. 3) Conduct code reviews and apply manual input validation and parameterized queries if possible to sanitize inputs on the Contact Us page. 4) Monitor logs for unusual database queries or error messages indicative of injection attempts. 5) Enforce the principle of least privilege on database accounts used by the plugin to minimize data exposure. 6) Prepare incident response plans for potential data breaches involving this vulnerability. 7) Engage with the vendor or community to track patch releases and apply updates promptly once available. 8) Consider temporary removal or disabling of the plugin if it is not critical to operations.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-03-11T08:10:27.473Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 686796cb6f40f0eb729fa56d
Added to database: 7/4/2025, 8:54:35 AM
Last enriched: 7/4/2025, 9:10:34 AM
Last updated: 8/9/2025, 1:31:26 AM
Views: 21
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.