CVE-2025-64114 is a medium severity SQL Injection vulnerability (CWE-89) found in the ClipBucket v5 open source video sharing platform, specifically in versions prior to 5.5.2-#152. The vulnerability resides in the Custom Fields plugin, which allows authenticated administrators with plugin management privileges to inject arbitrary SQL commands into the backend database. This improper neutralization of special elements in SQL commands can lead to unauthorized data disclosure and modification, impacting both confidentiality and integrity of the system's data. The attack vector is network-based with low attack complexity, but requires high privileges (administrator access to the plugin interface), and no user interaction is needed. The vulnerability does not impact availability. Although no known exploits have been reported in the wild, the presence of this flaw in an administrative plugin interface poses a significant risk if an attacker gains administrative credentials. The issue is resolved in version 5.5.2-#152 and later. Organizations running vulnerable versions should upgrade promptly. The vulnerability's CVSS vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N) indicates that while exploitation requires privileged access, the impact on confidentiality and integrity is high, making it a serious concern for data-sensitive environments.

For European organizations using ClipBucket v5 with the vulnerable Custom Fields plugin, this vulnerability could lead to unauthorized access and manipulation of sensitive video platform data, including user information, video metadata, and potentially other stored content. The ability to execute arbitrary SQL commands could allow attackers to extract confidential data or alter database records, undermining data integrity. Although the vulnerability requires administrative privileges, insider threats or compromised administrator accounts could be leveraged to exploit this flaw. This could result in data breaches, reputational damage, and regulatory non-compliance, especially under GDPR requirements for data protection. The impact is particularly critical for media companies, educational institutions, or any organizations relying on ClipBucket for video sharing and content management. The lack of availability impact reduces the risk of service disruption but does not diminish the seriousness of data compromise.

1. Upgrade ClipBucket v5 installations to version 5.5.2-#152 or later, where the vulnerability is fixed. 2. Restrict administrative access to the plugin management interface strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 3. Regularly audit administrative accounts and plugin usage to detect unauthorized access or suspicious activity. 4. Disable or uninstall the Custom Fields plugin if it is not essential to reduce the attack surface. 5. Implement database activity monitoring to detect anomalous SQL queries that could indicate exploitation attempts. 6. Employ web application firewalls (WAF) with rules tailored to detect and block SQL injection patterns targeting the ClipBucket platform. 7. Maintain regular backups of the database to enable recovery in case of data tampering. 8. Conduct security awareness training for administrators on the risks of privilege misuse and credential compromise.