CVE-2025-14124 | THREATINT

Description

The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

PUBLISHED Reserved 2025-12-05 | Published 2026-01-05 | Updated 2026-01-05 | Assigner WPScan

Problem types

CWE-89 SQL Injection

Product status

Default status

unaffected

Any version before 5.0.11

affected

Credits

Alex Tselevich (nos3curity) finder

WPScan coordinator

References

wpscan.com/...rability/fdd19027-b70e-45a4-882b-77ab1819af91/ exploit vdb-entry technical-description

cve.org (CVE-2025-14124)

nvd.nist.gov (CVE-2025-14124)

Download JSON