CVE-2019-25221: 
WordPress vulnerability analysis and mitigation

The Responsive Filterable Portfolio plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in versions up to and including 1.0.8. This vulnerability was disclosed on December 12, 2024. The affected software is a WordPress plugin that allows users to manage and display portfolios of videos, images, and links (NVD).

The vulnerability exists due to insufficient escaping on the user-supplied 'id' parameter and lack of sufficient preparation on the existing SQL query. This allows attackers to append additional SQL queries into already existing queries. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) and is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command (NVD).

The vulnerability makes it possible for unauthenticated attackers to extract sensitive information from the database through SQL injection attacks. This could lead to unauthorized access to sensitive data stored in the WordPress database (NVD).

Users should upgrade to version 1.0.9 or later of the Responsive Filterable Portfolio plugin, which includes security improvements and fixes for this vulnerability (WordPress Plugin).