CVE-2025-6718 identifies a critical SQL Injection vulnerability in the B1.lt plugin for WordPress, maintained by b1accounting. The vulnerability stems from a missing capability check on the b1_run_query AJAX action, which is intended to run SQL queries. Because the plugin fails to verify whether the user has sufficient authorization before processing these queries, any authenticated user with at least Subscriber-level privileges can exploit this flaw to execute arbitrary SQL commands against the site's database. This can lead to unauthorized data disclosure, modification, or deletion, and potentially full site compromise. The vulnerability affects all versions up to and including 2.2.56. The CVSS v3.1 score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required. Although no public exploits are reported yet, the vulnerability's nature and ease of exploitation make it a significant threat. The lack of patch links suggests that a fix may not yet be available, increasing urgency for mitigation. This vulnerability is categorized under CWE-862 (Missing Authorization), highlighting the failure to enforce proper access controls on sensitive operations.

The impact of CVE-2025-6718 is substantial for organizations using the B1.lt WordPress plugin, especially those relying on it for business accounting functions. Exploitation allows attackers with minimal privileges to execute arbitrary SQL commands, potentially leading to data breaches involving sensitive financial and personal information stored in the database. Attackers could manipulate or delete critical data, disrupt business operations, or escalate privileges to gain full administrative control over the WordPress site. This compromises confidentiality, integrity, and availability, potentially resulting in financial losses, reputational damage, regulatory penalties, and operational downtime. Given WordPress's widespread use globally, organizations of all sizes that deploy this plugin are at risk, particularly those with subscriber-level user roles that are commonly assigned to customers or registered users. The absence of known exploits in the wild currently provides a window for proactive defense, but the vulnerability's characteristics suggest it could be rapidly weaponized once a public exploit emerges.

To mitigate CVE-2025-6718, organizations should immediately audit their WordPress installations for the presence of the B1.lt plugin and identify the version in use. If an updated patched version is released, apply it promptly. In the absence of an official patch, administrators should restrict user roles to minimize the number of accounts with Subscriber-level or higher privileges, especially limiting access to untrusted users. Implement web application firewall (WAF) rules to detect and block suspicious AJAX requests targeting the b1_run_query action. Additionally, review and harden WordPress user role permissions to ensure least privilege principles are enforced. Monitoring database query logs for unusual or unauthorized SQL commands can help detect exploitation attempts. Consider temporarily disabling the plugin if it is not critical to operations until a patch is available. Finally, maintain regular backups of the WordPress site and database to enable recovery in case of compromise.