CVE-2025-0853 in PGS Core Plugin
Summary
by MITRE • 05/07/2025
The PGS Core plugin for WordPress is vulnerable to SQL Injection via the 'event' parameter in the 'save_header_builder' function in all versions up to, and including, 5.8.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/20/2026
The PGS Core plugin for WordPress represents a significant security vulnerability through its susceptibility to SQL injection attacks affecting all versions up to and including 5.8.0. This flaw exists within the save_header_builder function where the 'event' parameter fails to undergo proper input sanitization and escaping mechanisms. The vulnerability stems from inadequate parameter validation and insufficient preparation of SQL queries, creating an exploitable condition that allows malicious actors to manipulate database operations through crafted input.
The technical implementation of this vulnerability demonstrates a classic SQL injection flaw where the 'event' parameter serves as the attack vector for unauthenticated adversaries. When the plugin processes user-supplied data through the save_header_builder function, it directly incorporates the 'event' parameter into SQL queries without proper sanitization or parameter binding. This design flaw aligns with CWE-89, which categorizes SQL injection vulnerabilities as a critical weakness in software applications. The absence of proper input validation and query preparation creates a pathway for attackers to inject malicious SQL code that can be executed within the database context.
Operational impact of this vulnerability extends beyond simple data extraction to potentially compromise entire database systems and user information. Unauthenticated attackers can leverage this weakness to perform unauthorized database queries, potentially accessing sensitive user credentials, personal information, and other confidential data stored within the WordPress installation. The vulnerability affects the fundamental integrity of the database layer, as attackers can append additional SQL commands to existing queries, enabling them to manipulate database contents, extract information through union-based queries, or even execute destructive operations depending on database permissions.
The exploitation of this vulnerability follows established attack patterns documented in the MITRE ATT&CK framework under the technique of SQL injection. Attackers can utilize this weakness to escalate privileges and gain deeper access to the WordPress system, potentially leading to full compromise of the web application and underlying infrastructure. The lack of authentication requirements makes this particularly dangerous as it allows anyone to exploit the vulnerability without requiring valid credentials. This vulnerability represents a critical risk to WordPress installations using the PGS Core plugin, as it provides a direct path to database manipulation and information disclosure.
Mitigation strategies for this vulnerability require immediate action including upgrading to the latest version of the PGS Core plugin where the SQL injection flaw has been addressed. System administrators should implement proper input validation and parameter binding mechanisms to prevent similar issues in other applications. Database access controls should be reviewed to ensure that web application accounts have minimal required permissions, reducing the potential impact of successful SQL injection attacks. Additionally, implementing web application firewalls and database activity monitoring can help detect and prevent exploitation attempts. Regular security audits and penetration testing should be conducted to identify and remediate similar vulnerabilities across all web applications and plugins in the WordPress ecosystem.