Skip to main content

CVE-2025-28967: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Steve Truman Contact Us page - Contact people LITE

High
VulnerabilityCVE-2025-28967cvecve-2025-28967cwe-89
Published: Fri Jul 04 2025 (07/04/2025, 08:42:14 UTC)
Source: CVE Database V5
Vendor/Project: Steve Truman
Product: Contact Us page - Contact people LITE

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Steve Truman Contact Us page - Contact people LITE allows SQL Injection. This issue affects Contact Us page - Contact people LITE: from n/a through 3.7.4.

AI-Powered Analysis

AILast updated: 07/04/2025, 09:10:34 UTC

Technical Analysis

CVE-2025-28967 is a high-severity SQL Injection vulnerability (CWE-89) affecting the 'Contact Us page - Contact people LITE' plugin developed by Steve Truman, up to version 3.7.4. The vulnerability arises from improper neutralization of special elements in SQL commands, allowing an attacker with at least low privileges (PR:L) and no user interaction (UI:N) to inject malicious SQL code remotely over the network (AV:N). The vulnerability has a CVSS v3.1 base score of 8.5, indicating a significant risk. The scope is changed (S:C), meaning the vulnerability can impact resources beyond the initially vulnerable component. The impact vector shows high confidentiality impact (C:H), no integrity impact (I:N), and low availability impact (A:L). This suggests that an attacker can extract sensitive data from the backend database without modifying or deleting data but may cause minor service disruptions. The vulnerability is exploitable remotely without user interaction but requires some level of privileges, possibly an authenticated user or a user with limited access. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability specifically targets the SQL query handling in the Contact Us page plugin, which is commonly used in web applications to manage user inquiries and contact information. Exploitation could lead to unauthorized disclosure of sensitive data stored in the database, such as user contact details or internal configuration data, posing a significant privacy and security risk.

Potential Impact

For European organizations, this vulnerability poses a substantial threat, especially for those using the affected plugin on their websites or intranet portals. The high confidentiality impact means that sensitive personal data protected under GDPR could be exposed, leading to regulatory penalties and reputational damage. The low availability impact suggests limited disruption to services, but data leakage could facilitate further attacks or fraud. Organizations in sectors such as finance, healthcare, and government, which often handle sensitive personal data, are particularly at risk. Additionally, the vulnerability could be leveraged by attackers to perform reconnaissance or escalate privileges within the network. The requirement for some level of privileges reduces the risk of mass exploitation but does not eliminate it, as attackers may gain initial access through other means. The lack of a patch increases the urgency for mitigation. Given the interconnected nature of European digital infrastructure, exploitation in one organization could have cascading effects, including data breaches affecting partners or clients.

Mitigation Recommendations

European organizations should immediately audit their web applications to identify installations of the 'Contact Us page - Contact people LITE' plugin, particularly versions up to 3.7.4. Until an official patch is released, organizations should implement the following mitigations: 1) Restrict access to the Contact Us page to trusted users or IP ranges to limit exposure. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting this plugin. 3) Conduct code reviews and apply manual input validation and parameterized queries if possible to sanitize inputs on the Contact Us page. 4) Monitor logs for unusual database queries or error messages indicative of injection attempts. 5) Enforce the principle of least privilege on database accounts used by the plugin to minimize data exposure. 6) Prepare incident response plans for potential data breaches involving this vulnerability. 7) Engage with the vendor or community to track patch releases and apply updates promptly once available. 8) Consider temporary removal or disabling of the plugin if it is not critical to operations.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Patchstack
Date Reserved
2025-03-11T08:10:27.473Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 686796cb6f40f0eb729fa56d

Added to database: 7/4/2025, 8:54:35 AM

Last enriched: 7/4/2025, 9:10:34 AM

Last updated: 8/9/2025, 1:31:26 AM

Views: 21

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats