The vulnerability CVE-2025-39474 in ThemeMove Amely arises from improper neutralization of special elements in SQL commands, enabling SQL Injection attacks. It affects Amely versions up to 3.1.4. The CVSS 3.1 vector indicates the attack can be performed remotely over the network without authentication or user interaction, with a critical impact on confidentiality and a low impact on availability. No official patch or remediation details are provided in the available data.

Successful exploitation could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the backend database, potentially leading to disclosure of sensitive information (high confidentiality impact) and limited denial of service (low availability impact). Integrity impact is reported as none. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider applying temporary mitigations such as input validation and web application firewalls to detect and block SQL injection attempts. Monitor for updates from ThemeMove regarding patches or official mitigations.