CVE-2025-32204 identifies a critical SQL Injection vulnerability in the Split Test For Elementor plugin developed by rocketelements, affecting all versions up to 1.8.3. The vulnerability stems from improper neutralization of special characters in SQL commands, which allows an attacker to inject arbitrary SQL code into the backend database queries executed by the plugin. This flaw can be exploited remotely without authentication or user interaction, making it particularly dangerous. Successful exploitation could enable attackers to read sensitive data, modify or delete database records, or escalate privileges within the affected WordPress environment. The plugin is used to conduct A/B testing on websites built with Elementor, a widely adopted WordPress page builder, thus exposing a broad attack surface. Although no public exploits have been reported yet, the vulnerability's presence in a popular plugin and the ease of exploitation make it a significant threat. No official patches or mitigation links have been published as of the vulnerability disclosure date, increasing the urgency for administrators to monitor vendor communications and consider temporary protective controls. The vulnerability was assigned by Patchstack and published on April 4, 2025, but lacks a CVSS score, necessitating an expert severity assessment.

The impact of this SQL Injection vulnerability is substantial for organizations using the Split Test For Elementor plugin. Attackers could exploit the flaw to access sensitive customer data, including personally identifiable information stored in the database, leading to privacy violations and regulatory non-compliance. Data integrity could be compromised by unauthorized modifications or deletions, potentially disrupting business operations and damaging trust. Additionally, attackers might leverage this vulnerability to gain further access to the WordPress environment or pivot to other internal systems. For e-commerce, marketing, and content-driven websites relying on Elementor and this plugin, exploitation could result in significant downtime, loss of revenue, and reputational harm. The ease of exploitation without authentication increases the likelihood of automated attacks and widespread scanning by threat actors. Organizations worldwide that rely on WordPress plugins for site functionality are at risk, especially those that have not implemented timely updates or security best practices.

To mitigate this vulnerability, organizations should immediately audit their WordPress installations to identify the presence of the Split Test For Elementor plugin and confirm the version in use. Until an official patch is released, it is advisable to disable or uninstall the plugin to eliminate the attack vector. Web application firewalls (WAFs) should be configured to detect and block SQL Injection payloads targeting this plugin's endpoints. Implementing strict input validation and sanitization at the application level can reduce risk, though this requires code changes by the vendor. Monitoring web server and database logs for unusual query patterns or errors related to the plugin can help detect attempted exploitation. Organizations should subscribe to vendor and security mailing lists for prompt notification of patches or updates. Additionally, regular backups of website data and databases should be maintained to enable recovery in case of compromise. Employing the principle of least privilege for database users can limit the damage potential if exploitation occurs.